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ABSTRACT 


This research represents a preliminary step in the development of a reliable 
application program simulating an operating system which handles several multi- 
security-level users dynamically sharing system resources in the Gemini Trusted 
Multiple Microcomputer Base machine. 

The proposed design presents the necessary steps to follow when working in a 
multilevel configuration. The use of primitives that support the application design 
are explained along with a description of the implementation of this application 
using Janus/Ada language. In addition, security constraints are identified and 


system test results are described. 
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INTRODUCTION 


Ee “GENERAL DISCUSSION 

This thesis presents the design and part of the implementation of software for 
the Gemini Computer, under CP/M-86 and GEMSOS Operating Systems, to 
allow the dynamic sharing of system resources in a multilevel secure computer 
system, using Janus/Ada language as a host language. 

Security has traditionally been provided by physical measures (fences, police, 
dogs. alarms. etc.) to prevent unauthorized access to computers. But today this is 
no longer sufficient. The extensive use of networks brings the possibility of 
uncontrolled access to the resources of any installation from remote sites. 
Discretionary security measures. i.e., "password" types, alone are not totally 
adequate where security of information is paramount (Ref. 1]. Steps must be 
taken to strictly reinforce a non-discretionary policy as well. This situation 
provides enough motivation to look for more reliable methods to control and limit 
the access. 

This necessity of TET Computers is even more critical and compulsory in 
military organizations. where many delicate decisions depend on the quality of the 
information, which if known or modifiable by unauthorized users. creates a risk to 


the country’s security. 


The Naval Postgraduate School is involved in the use of microcomputers in 
its Microcomputer Laboratory in which several of them are networked together 
through a concentrator for information sharing. These systems are to be used by 
people with different levels of security clearance who handle information with 
multiple security classifications. This application necessitates the use of a mass 
storage system with the ability to limit access to classified programs and data. 
The only effective way to insure multi-level internal security is by employing a 
Trusted Computer Base [Ref. 2| such as provided by the Gemini computer. 

Figure 1.1 shows the proposed configuration of a microcomputer system 
having the Gemini computer at its base. The Gemini System provides the base 
laver of an operating system which implements internal information security 
through a "security kernel" design (Ref. 3:pp. 1-2]. To construct the 
architecture proposed in Figure 1.1 requires implementing the top layer of the 
operating system for handling the Input/Output operations. Three design 


elements can be identified : 


1) The Concentrator. The concentrator will contain a software "crossbar 
switch" which allows dynamic switching for I/O interconnection between 
attached systems. 


2) The Dynamic Assignment of Security Access Levels to I/O devices. In this 
aspect. the main idea is to manage the access level of the terminal without 
relating it to an specific connection. The access level should be dynamically 
recognized by the characteristics of the user, rather than be limited to a 
secondary issues such as location or terminal number. This is the main topic 
addressed by the current research. 
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3) A Segmented "File" System for Mass Storage. The purpose of this system 
would be to provide a one-level segmented storage system for mass secondary 
storage (hard disk) within a secure environment. 
EEES IS FORMAT 

This thesis is composed of six chapters organized in such a way as to provide 
the reader with the background necessary to understand internal multilevel 
computer security concepts, in particular dynamic sharing of system resources. 
Simple guidelines in software development are introduced and a design is 
presented for the implementation of a prototype system which allows several users 
with different clearance levels to share system resources. 


Chapter I provides general information focusing on reasons why Multilevel 


Secure Systems are important. 
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Chapter II addresses the background necessary to understand Multilevel 
Security concepts and explains the Gemini System Architecture and possibilities. 

Chapter III provides specific information related to the steps necessary to 
produce basic application programs in the Gemini System. 

Chapter IV describes the design of a small "Operating System" application 
program that will handle dynamic sharing of resources, in particular I/O. 

Chapter V presents the description of the support modules used to develop 
application programs, and describes the implementation constraints and the steps 
performed to complete an application. 

Chapter VI discusses the results obtained from this research effort. It also 
suggests future investigations in this field as a continuation of the work performed 


in this thesis. 
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M BACKGROUND 


ES MAS TB COMPUTER SYSTEM 


Most of the basic concepts and definitions mentioned in this section are 


referenced to the standardization performed by the Department of Defense (DoD) 


related to Trusted Computer Systems. These standards are contained in "DoD 


Trusted Computer System Evaluation Criteria" [Ref. 2] published in 1983; it lists 


definitions and concepts, and provides detailed criteria pertaining to the test and 


evaluation of trusted computers. 


The security policies considered are mandatory (non-discretionary) security 


and discretionary security. 


Mandatory Securitv is defined as : 


Security Policies defined for systems that are used to process classified or 
other specifically categorized sensitive information must include provisions 
for the enforcement of mandatory access control rules. That is. they must 
include a set of rules for controlling access based directly on a comparison of 
the individual’s clearance or authorization for the information and the 
classification or sensitivity designation of physical and other environmental 
factors of control. The mandatory access control rules must accurately reflect 
the laws, regulations, and general policies from which they are derived. |Ref. 
ype te 


Discretionary Security is defined as : 


Security Policies that are defined for systems that are used to process 
classified or other sensitive information must include provisions for the 
enforcement of the discretionary access control rules. That is, they must 
include a consistent set of rules for controlling and limiting access based on 


13 


identified individuals who have been determined to have a Need-to-Know for 
the information. [Ref. 2:p. 73] 


As the names imply. mandatory policy contains a set of rules : .at are 
imposed on all users in the organization. and discretionary policy is a specific set 
of rules further limiting access on a "need-to-known" basis. 

A multilevel secure system in a conventional computer system is impossible to 
attain without a way to enforce the policies previously indicated. Security e be 
broken without knowledge of the user because intentionally or not, there are 
possible unsecure points that will allow access to the system. A typical example of 
this problem is a "Trojan Horse" program [Ref. 4:p. 66] provided by a third 
source which may have code intentionally "hidden" with the purpose of copying 
the user's access control code [Ref. 5:pp. 55-56] when the user executes the 
program. This represents an illegal condition. 

The mandatory  (non-discretionarv) and discretionary policies are 
implemented in a "security kernel" which provides mechanisms for limiting the 
access to the information. Security Kernel is defined as the hardware and 


software that realizes the ' 


'reference monitor" abstraction (l.e., the realization of 
these limiting policies), and in turn provides the idea of protection in which the 
active entities (subjects), such as people or computer programs, make reference to 
passive entities (objects). such as documents or segments of memory, using a set 


of current access authorizations [Ref. 6:p. 14]. The access class is divided into 


[Ref. 6:p. 16] : 
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a) Compromise (observe) which states that a subject can not "observe" the 
contents of an object unless the access class of the subject is greater than or 
equal to the access class of the object. 


b) Integrity (modify) which stipulates that a subject may not "modify" an 
object unless the object's access class is greater than or equal to the access 
class of the subject. 

The multilevel secure system considered in this research is focused on the 
access of many users to common system resources without restriction of a 
designated resource to a specific kind of user. Specifically, any user can utilize any 
terminal. and the access class in not limited to physical terminals with fixed 
access levels. The user priviledges. will be determined during a logon process when 
the user provides his username and password. 

Additional explanations and details concerning secure communication 


methods and possible threats involved are described in [Ref. 7:pp. 15-28] and [Ref. 


8:pp. 19-21]. 


pcm ITRHUSTEDMULTIPLEMICROCOMPUTER BASE 
1l. General Information 
Gemini Trusted Multiple Microcomputer Base was the computer used in 
the research of this thesis. It represents an advance in technology combining 
several concepts, Multilevel Security, Multiprocessing and Multiprogramming. to 
provide an important Trusted Base Machine that can be considered for a wide 
range of computer applications where security is a fundamental consideration. 


Actually, it has been evaluated by the U.S. Department of Defense for 
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certification to meet the B3 class [Ref. 3:pp. 1-2]. and is currently undergoing 
evaluation in a specialized application for Al class. 


The major features of this system are (Ref. 3] : 


1) Up to 8 Intel iAPX286-Base microcomputers are connected on the same 
Multibus. 


2) Minimization of bus contention by locating data and code segments in the 
local memory of each microcomputer, whenever possible. 


3) Capability of multiprocessing and multiprogramming. The Gemini Secure 
Operating System (GEMSOS) can multiplex many virtual processors onto a 
single physical processor. and support combinations of parallel and pipelined 
processing. 


4) Connection of different storage and I/O devices using an RS-232 Interface 
Board which can handle up to 8 ports. 


5) The system includes a Bus Controller. a Real-Time Clock. a Data Encryption 
Device (NBD-DES Algorithm). a Non-volatile Memory for storing system 
passwords and encryption kevs. It also provides a System- Unique Identifier. 


6) Each 1AP X286 microprocessor supports 4 hierarchical privilege levels. 


7) CP/M-86 Operating System is used for software development and several 
different programming languages are available to develop application 
software. 


8) Modular Expansion and Configuration Independence. 
2. Resources Management 
At the heart of the Gemini computer system is the GEMSOS operating 
system as previously mentioned. 
GEMSOS resource management services are invoked by an application 


program through a set of calls to a collection of subroutines which represent an 
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interface between GEMSOS and the application. Each language compiler has a 
unique interface library |Ref. 3:p. 4]. GEMSOS manages three classes of entities : 
segments, processes, and devices. 
a. segment Management 
All the information is.stored in logical objects called segments which 
are handled by the application programmer using segment management calls. 
These operating system calls are described in detail in [Ref. 9:p. 10]. 
b. Process Management 
A process can be viewed as an application program that runs under 
the control of GEMSOS to perform some specific activity. The process is created 
by the application program using service calls related to the process management 
described in |Ref. 3:pp. 5-8] and [Ref. 9:p. 23]. In addition to Process 
Management, there are additional concepts related to process synchronization in 
which the application programmer has tools to sequence processes that 
communicate with each other. Synchronization is obtained utilizing eventcounts 
and sequencers [Ref. 10:pp. 115-124] associated with processes. A working 
explanation will be provided in Chapter IV. Process Synchronization calls are 
described in detail in |Ref. 3:pp. 6-7] and [Ref. 9:p. 33]. 
c. Device Management 
The design of the I/O management functions of the Kernel are novel. 
The basic idea consists of reducing the code needed in the Kernel to control I/O 


functions, by incorporating many of the details within the application program. 


Ez 


The result is a reduction of the Kernel's size and the verification is easier. 
Security checks are performed only when the device is attached to a process |Ref. 
3:pp. 8-9]. I/O PP EIE service calls are described in [Ref. 11:p. 38]. 
3. Gemini Security Seen een 

Since the iAPX286 Microcomputer supports 4 protection levels, GEMSOS 
uses these levels to enforce the security critical layering of the system. Protection 
levels are called Ring 0 thru Ring 3. with Ring 0 the most privileged ring [Ref. 3: 
p.10]. Ring O supports the Mandatory (non-discretionary) Policy and Ring 1 
contains the Discretionary Policv. the combination of which comprising the 
Security Perimeter and the greater portion of GEMSOS. 

Ring 1 also holds functions such as user authentication. system security 
officer functions and audit functions. Ring 2 is used for common services utilized 
by many users. e.g., Database Management System: Ring 3 is used as application 
lavers for programs and data: both are outside of the Security Perimeter and can 
be used during the system development process (i.e., as in developing the upper 
laver of an application system as is the focus of this research), and for the 
execution environment for users programs. 

Process management in the GEMSOS architecture is through the use of a 
two level trafic controller design (inner traffic controller or bottom level, and 
upper traffic controller). 

The inner traffic controller binds a physical processor with a fixed number 


of "virtual processors". Two of these are used to support system services (an idle 
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virtual processor and a manager virtual processor) and the others are available to 
the upper level traffic controller. The inner traffic controller also provides the 
primitives for synchronization between virtual processors emulating a 
multiprogramming configuration. 

The upper level traffic controller multiplexes a number of processes onto 
the virtual processors feared by the inner traffic controller. These functions are 
performed in each of the physical processors comprising the Gemini computer (up 
to 8) |Ref. 7:pp. 14-15]. through a distributed operating system. 


4. Naval Postgraduate School Version of Gemini 


a. One APX286 Microcomputer 
b. Two 1.2 Mbyte floppy disk drives 
c. One RS-232 Interface Board (max 8 ports) 


With this configuration. GEMSOS must multiplex the processes created 
onto virtual processors and then onto a single physical processor. The 
synchronization primitives support the communication among processes. It is 
important to note that in this configuration. a multiprocessing environment does 


not exist. The potential for exploiting processor parallelism does not exist. 
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III. SOFTWARE DEVELOPMENT OVERVIEW 


A. GENERAL DESCRIPTION 

This chapter provides the foundation for the necessary steps to develop 
software in Gemini machines. It is important because it provides the basic 
components that are needed. Considering that Gemini is a new concept in 
Multilevel Secure machines. it is still not user friendiv. A bridge between the 
application programmer and the operating system service primitives had to be 
created in order to develop reliable software. 

The basic Gemini operating system is limited and onlv supports those 
operating system functions which are concerned with system security. Thus, only 
an operating system base is provided upon which an upper level i.e., I/O handler, 
file manager. etc. must be provided to support specific user requirements. 

Subroutines or modules were prepared to perform the interface between the 
programmer and the operating system primitives. A complete explanation of 
these modules is provided in the design and implementation chapters. 

The objective of this chapter is to present an ordered method of developing 
application software within the environment. It should be considered as a guide 
and not as a fixed set of rules. The facts considered here are taken from the user’s 


manual [Ref. 9]. 
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MEERA CSAL STORAGE STRUCTURE 

The Gemini System provides a one-level secondary storage system for 
information (In the NPS configuration. secondary storage refers to floppy disks). 
File concepts are not supported by Gemini. but instead segments are used which 
are considered as objects having logical attributes related to them (1.e.. security) 
and being of a maximum 64 K bytes size. Segmentation is extended to secondary 
storage, providing the one-level storage system. 

The segments are handled bv the svstem as a hierarchy. where each segment 
is identified by a unique path name. This segment’s "handle" corresponds to the 
index of an entry in the Local Description Table (LDT) of the process that creates 
and/or uses the segment. As such. a single segment can have many different 
handles depending on where and how many processes enter it into their respective 
LDT tables. But it has only one unique path name in the hierarchy. 

The representation of segments follow a hierarchical structure in which the 
root is the System Root (transparent to the user) and the whole collection of 
segments is assembled as an inverted tree. Each users program is part of the 
hierarchical structure and it is declared as a segment that is statically created at 
system generation time using the Sysgen Submit file explained in [Ref. 11:pp. 12- 
14). 

System generation consists of creating a hierarchical structure of all segments 
known to the system at system runtime, in particular at system "Bootload". It 


basicallv is the inclusion of the segment hierarchy comprising the upper levels of 
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the application target system, into the provided base level hierarchy that is known 
as GEMSOS. This is accomplished by utilizing segments declared in the submit 
file, 1.e., the sysgening process creates a hierarchy using the segments indicated in 
the submit file. 

Figure 3.1 shows a typical hierarchical structure representing the entries that 
GEMSOS requires to run programs. This structure is fixed and must be 
considered in the development of any application program. Figure 3.2 shows the 
addition of segments necessary to execute a specific application. Entry 5 in the 
T structure is always dedicated as the "root" of user applications. This 
entry is the root or mentor of all the segments that are needed to implement the 
upper levels of the system application program. Under the Gemini concept, a 


segment can support up to 12 descendants (entries) numbered from 0 thru 11. To 
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support this concept there is an "aliasing" table that relates the segments to their 
mentors; a segment can only have one mentor [Ref. 11:p. 1]. 

When an entry is used, it cannot be assigned again until a delete segment call 
marks this segment as available. The numbers indicated in both figures 
correspond to entry numbers of segments associated with a mentor (from 0 thru 
11); segment numbers have a different enumeration, which correspond to their 
entries in the LDT. 

bech segment in the system has a unique pathname that identifies it, but this 
identifier is not used by the application processes. Instead a process-local segment 
number is used. When two processes share the same segment. each one recognizes 


the segment by the number assigned in its own LDT. 
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In Figure 3.2 the path 5.7 corresponds to a segment that holds the code of a 
child application program and must be declared in the Submit file. Entry 3 is the 
mentor of Entry 7. This creation is static and the path indicated must be known 
in the application program. On the other hand, the path 5,5,7 1s used to hold data 
and will be created dynamically during execution of the application program. A 


more complete explanation is presented later in this chapter and in Chapter IV. 


C. 1/0 DEVICE ASSIGNMENT 

The process of "Attaching Devices" must be accomplished before an I/O 
device becomes "known" to the system. It involves assigning a logical process to 
the I/O device so that the device then is known by its process. The process then 
contains the device drivers. This step is necessary before any I/O operation. A 
device can be declared either as a Read (input) or Write (output) device, as part 
of the information provided to the Attach primitive call into GEMSOS [Ref. 
9:pp. 39-41]. A device can be attached to only one process at a time. an error will 
occur if an attempt 1s made to attach a device more than one time. 

The inverse step is called Detach devices. in which the associated process 1s 


eliminated and the device becomes available for further assignments [Ref. 9:p. 42]. 


D. PROCESS CREATION 
This section describes the steps that should be considered when creating a 
process. One process is created from another. The "creator" process is known as 


the parent and the created process is known as the child, also having its own 
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unique identifier. The child process receives its fixed amount of resources from the 
parent. subtracting from the parent's overall resources. A process is a collection 
of segments known to the process. The segments are managed using a set of 
primitive functions or "calls" provided by the system. An address space is created 
to hold a segment. The application programmer must make use of GEMSOS 
primitives in creating and using this address space. 

The sequence of steps that must be followed in order to create a process, 
starts with the creation of a segment in the address space using the resources 
available on secondary storage. The primitive create is called. resulting in the 
creation of the address space for this segment. The next step links the space 
created with a specific process that will use it. In other words. a recognition of this 
segment is performed in which the process makes the segment known to itself by 
entering it in the next available entry in its local description table (LDT). The 
result is the identification of this address space by a number that is called 
segment number which will be used when the segment is referenced. The 
primitive used is makeknown. The result is the identification of this segment for 
the process and to the system. 

The last step is related to the utilization of this segment; a segment must be 
in Main memory in order to be used. This function is ve Gët using the 
primitive swap-in. which produces the loading of the segment from secondary 


storage into main memory. 


When the segment is no longer needed by the process. 1.e.. process completed 
execution, an inverse action must be performed in order to release the space used 
by the segment. As in the steps declared above, a logical sequencing must be 
followed, starting with the release of the memory used by the segment. This 1s 
performed by the swap-out primitive in which the segment is written back out 
to secondary storage. The next step is the elimination of the association 
segment-process. Elimination of a segment from a process address space is 
performed by the terminate primitive: the association is broken. and the entry 
number used in the LDT of that process 1s available again. 

The total removal of a segment from the system address space is 
accomplished by using the delete primitive: the result is the removal of the 
segment from the system and process local name space. and the returning of its 
address space back to the system resources. The steps necessary to create a 
process are indicated in the Figure 3.3. 

1. Create / Makeknown Segments Module 

A process needs a minimum of two segments. a code segment and a stack 
segment, in order to be created. The code segment for a process is declared in the 
Sysgening Submit file and is created automatically by the system during the 
system generation (statically). 

The stack segment, as well as any additional segments, are created in the 
user's program (dynamically) by making the appropiate operating system calls for 


Create and Makeknown. These calls will be explained later in this chapter. 
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Figure 3.3 Process Creation Main Modules 


2. Address Space Specification Module 

The address space specification contains a list of the segments that will be 
passed by the parent process to the new process (child). In addition, the attributes 
of each segment to be passed are loaded into this module. The address space 
specification of a process is composed of 5 segments : a stack segment, a code 
segment (both are compulsory), 2 free segments (can be used as application 
mentor and for holding data) and a trap segment that is automatically created (it 
is declared in the submit file) and handled bv the system. It holds information for 
GEMSOS that will be used when a user trap fault is detected. These segments 
correspond to entries 20 thru 24 of the Local Description Table to be associated 


with each process. 
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3. Register Record Module 
This module performs the initialization of the register record which 
defines the state in which the program will begin its execution. The register 


record contains the following fields [Ref. 9:p. 27] : 


1) Instruction pointer (ip) .- Specifies the code offset address. 
2) Stack pointers : 
- SP . The initial stack pointer for the new process. 
- SP1 .- Points to the base of the ring 1 stack segment. 
- SP2 .- Points to the base of the ring 2 stack segment 
(if one is used). 


4. Resource Record Module 
In this module the new process (child) attributes are declared. and the 
amount of resources that the parent em will have to provide to the new 
process are defined |Ref. 9:pp. 27-28]. The resources received by the child process 
are subtracted from those of the parent. The amount of resources needed by a 
child will depend of the kind of application that a child wil] perform. The 


resources involved are [Ref. 9:pp. 27-28| : 


- Amount of memory (blocks) that the child is allowed to swapin. 
- Maximum number of processes that the child is allowed to create. 
- Total number of segments that the child will have. 


In addition to the resources. a child process number must be declared that 
uniquely indentifies this child. Also the child's access class must be specified which 
must be within the parent's range. The resources passed to the child process are 


recovered by the parent when the child finishes its execution and self deletes. 
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5. Create Process Module 

The primitive Create Process is called. resulting in a new process being 
created. A success code is returned by the operating system to indicate success or 
failure for this operation. The parameters passed by this module are the record 
description of the process to be created (rl cp struct) and a variable called 
"Success" that will hold the execution’s result of this primitive. The application 
programmer must fill all the fields related to the characteristics. attributes and 
resources that the new process will have. A description of the record 
"rl cp struct" is given in the library AGATE.LIB provided by Gemini 
Computers Inc., and in |Ref. 9:pp. 24-28]. Error codes are explained in [Ref. 9:pp. 
84-93]. All the modules described above can be executed in any order before the 


execution of this module. 


Doc DESCRIPTION TABLE (LDT) 

Since the actual use of the GEMSOS primitives requires interfacing to the 
upper level of the application system under development. special interface 
routines had to be implemented. The next three sections describe these interface 
routines. A process has a fixed collection of segments which comprisess its address 
space; these are known by the process as entries in its Local Description Table 
(LDT). Each process can have up to 52 segments (from 0 thru 51) known to it at 
one time. Segments 0 to 19 are used by the Kernel, segments 20-24 correspond to 


segments pre-defined in the address space definition of the new process |Ref. 9:pp. 
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26-27]. and segments 25 through 51 are available to the application programmer. 
This segment distribution is fixed in the LDT and can not be modified. A fatal 
error will result if a system segment is used for other purposes (segments 0 thru 


24). 


F. CREATE/DELETE SEGMENT 

Because a process is a collection of segments. segment creation is an 
important step that should be considered during process creation. Lach segment 
has its own attributes which are specified in a Create seg struc record; this 
record must be declared before calling the primitive Create segment. The 
segment is created with the specified attibutes, and the addition of a new branch 
in the hierarchical structure is made |Ref. 9:pp. 14-15]. The inverse action is the 
Delete segment call, where a segment created previously is removed from the 
hierarchical structure. this call should be performed when the specified segment is 
no longer needed [Ref. 9:pp. 16-17]. This call must be used when a process 
finishes its execution because the applicable segments are not automatically 


removed. 


G. MAKEKNOWN/TERMINATE SEGMENT 
The Makeknown segment call adds the specified segment to the address 
space of the calling process (including the segment number in its LDT table) [Ref. 


9:pp. 17-19]. Like all the primitives it has its own record Mk kn structure, 


which must be initialized with the pathname that the segment will use in the 
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hierarchical structure. Complete details are provided in Chapter IV. The inverse 
step eliminates the pathname created in the makeknown process and also frees the 
segment number from the LDT table. This primitive is Terminate segment 


and it is described in [Ref. 9:p. 20]. 


H. SWAPIN/SWAPOUT SEGMENT 

A ‘segment is created in secondary storage by first utilizing the primitive 
Swapin seginent. to provide main memory space for the new segment, and the 
writing the new segment out to secondary storage by utilizing 
Swapout segment primitive. This function call writes any segment currently 
stored in main memory out to secondary storage |Ref. 9:pp. 21-22]. releasing the 


main memory. 


NES UNOFIRONIZATION 

Synchronization among processes is maintained by the use of eventcounts and 
sequencers |Ref. 10.pp. 115-124], which are maintained in segments used to 
synchronize processes. The segments used must be common to all the processes 
involved in the same synchronization. An eventcount is maintained by an integer 
counter under control of the cooperating process. Completion of an operation 
(event) is signaled by incrementing the eventcount. The updated eventcount 
provides a signal to a waiting process that the operation which it has been waiting 


for is complete. The primitives used are described in [Ref. 9:pp. 33-37]. 


IV. SYSTEMSDESIGN 


A. INITIAL DESIGN 
1. Objective 
The initial piece of the design was to build the upper levels of an 
operating system based on the Kernel provided by GEMSOS, which would 
provide multiuser mass secondary storage capability. in a multilevel, secure 
internal environment. User access through (apni m was initially to be without 
physical security barriers, and terminal access levels determined dynamically 
based on user access levels. I/O device servicing was to be interrupt driven. 
Figure 4.1 shows the initial design containing 3 main modules that compose the 
upper levels operating system : Basic Input/Output (BIOS). Console Command 
Processor (CCP). and Basic Disk Operating System (BDOS). Implementation of 
these modules duplicates the same organization used in CP/M or DOS Operating 
Systems. Secondary storage is to be by segments. providing a "one level" storage 
system. 1.e., no file concept. Security is provided by the GEMSOS operating 
system. 
2. Initial Design Constraints 
One major limitation to the above design was the restricted way in which 
GEMSOS handles interrupts. I/O interrupt handlers currently can not be used 
irom ring 2 of®3 Wels and as such can not be developed in the BIOS module. 
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BIOS 


BDOS 


Figure 4.1 Initial Design 


Future versions of GEMSOS from Gemini Computers Inc. will resolve this 
constraint, but the efforts in this thesis were restricted to programmed I/O type of 
device handling. 

The second limitation was related to the number of users that the BIOS 
module can handle. Since the communications are performed through a RS-232 
interface board with 8 ports. and each user needs one physical port (read/write), 
the maximum number of users is 8 (without considering a device for the main 
application program). This limitation still exists in the Naval Postgraduate School 


system configuration. 


D. COMPROMIISE DESEE: 
1. Objective 

The primary objective 1s the same as declared in the initial design, except 
that the BIOS module is replaced by a dedicated program to handle each 
terminal, instead of several terminals handled by one program. Each of the 
programs are identical routines which operate at a System high access level to 
identify a new user through the terminal, and create a corresponding access level 
process to which the terminal is then "attached". Figure 4.2 shows the actual 
design used. 

With this design. Gemini's capabilities of multiprocessing can also be 
taken advantage of. E user can have a virtual processor attached to itself and 
work in a multiprogramming configuration, limited onlv bv the resources available 
(processes. segments. memory. ports. etc.). Considering the NPS system, it is 
possible to emulate multiprocessing with a single processor in which GEMSOS 
multiplexes the processes using synchronization methods. The distribution of the 
system resources among individual users can be dynamically assigned/reassigned 
based on the needs of the user. The amount of resources assigned to the users 
must not be greater than the resources that the complete system has. 

2. Actual Design Constraints 
As previously mentioned. the number of users is limited to 8 because of 


the NPS system configuration. 





User User s User 
Handler Handler Handler 


Active 
User 





BDOS 


Figure 4.2 Actual Design 


The second limitation is related to the size of the LDT, 1.e., the number 
of entries that the application programmer is able to use. If a process nominally 
needs 3 segments (stack, code. and data) this means that not more than 9 
processes can be created in the main application program. Considering the actual 
design in which a process creates another process, it means that for each user 
process six segments are needed. Since there are only 27 segments available in the 
LDT for each process, then the maximun number of processes is 4 (3 users and 


the BDOS process). By including the data segment in the stack segment, only 4 
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segments are needed for each process, the result is a maximun of 5 users and the 
BDOS process. 

An additional limitation comes from the fact that there are no developed 
modules to handle the hierarchical structure or to handle the LDT table of each 
process. This means that the next available entry or segment number in the LDT 
or the next entry related to a segment mentor are not dynamically provided by 
the system and must be obtained in some way. Instead of designing and 
implementing these modules, temporary modules were designed to create 
parameters that were useful to the system. A complete set of modules was 
provided by Gemini Computers Inc. when the system was delivered, but these 
were coded in Pascal MT+ and the implementation language for this research was 
Janus/Ada. Conversion from Pascal MT+ to Janus/Ada was one alternative but 
there was no documentation of the function and structure of these modules 
resulting in the creation of parameters instead of conversion. 

These temporary modules create parameters statically for those that the 
system should provide automatically. Using these temporary modules it 1s possible 
to evaluate system functions and e how the the hierarchical structure 1s 
maintained. 

3. Hierarchical Structure Design 

Figure 4.3 shows the complete structure design of the system, considering 

the segments needed to work with 3 users. The numbers indicated inside the 


circle represent an entry number in the mentor’s LDT (maximum 12 segments), 
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Figure 4.3 System : Hierarchical Structure 





and the numbers shown outside the circle represent the process-local segment 
numbers of the CCP application program. They are used to identify each 
segment. This can be seen in Figure 4.4. The hierarchy shows the segments 
33.35,37,39 as segments that hold the code developed to support the application 
program in each specific level : User Handler ee and the BDOS process. 
These segments are specified in the Submit file and are created in the sysgening 
process together with those segments needed to hold the code of the three Active 
Users processes. The segments 32,34,36,38 are used to hold the stack segments, 
and the segments 40,41,42,43 are used to pass information between processes. 


The segment 51 is used by CCP to effect synchronization with the other processes, 
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Figure 4.4 Address Space Specification for each user process 







awaiting the eventcount of this segment until some other process advances it, 


thereby letting the CCP execute its functions. 
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Figure 4.5 Hierarchical Structure : User Processes 
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A unique pathname identifies each segment in the hierarchical structure. 
An example of this concept is shown in Figure 4.5. This tree represents the user 
handler application code segments and their segment numbers in each process. 

Although the segment numbers are the same (32,33,34), they differ by the 
pathname associated with them, i.e., pathname 5.7,3,1 (userl) pathname 5,8,3.1 


(user2), and pathname Usera). 


C. SYSTEM SOFTWARE DESIGN 
1. Application Programs Design 
The design was divided into 2 types of programs. applicative programs 
(Main Application program CCP. User Handler program. Active User application 
program. and BDOS application program) and utility programs (common 
procedures and functions). Structured programming techniques were used to 
develop the application programs. These techniques are well supported by the 
implementation language selected. Janus/Ada. Figure 4.6 shows the modules 
supporting the Main Application program (CCP) that are used to manage the 
whole system. 


These modules are : 


1) Load parameters 
2) Create segments 
3) Create processes 
4) Synchronize processes 
5) Delete Processes 
6) Terminate segments 
) 


Delete segments 


~] 
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MAIN APPLICAT. 


PROGRAM 
(CCP) 





load create create synchr delete terminat delete 
paramet | | Segments] | process| | process process | |segments| | segments 


Figure 4.6 Main Application Program 


Each module was developed as an independent procedure or function. 
requiring, in some cases, additional subdivisions because of the high complexity of 
the module. These modules represent upper level interfaces to GEMSOS system 
calls. 

a. Load Parameters Module 

Figure 4.7 shows the table of parameters created by this module. In 
addition it creates another table with segment numbers that will be used to 
synchronize the main application program (CCP) with the Active User programs. 

b. Create Segments Module 

This module creates the segments necessary elther to represent some 
part of the hierarchical structure or to perform synchronization among processes. 
The size of these segments is fixed (1 byte) because they only function as mentors 
of other segments or as synchronization segments. À synchronization segment is 


created as a common segment, which must be known for all the processes in the 
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Figure 4.7 System Parameters 





application program. This is necessary because the execution of the main module 
CCP must be accessible to all processes communicating with the CCP to perform 
some operation. 


The segments created are: 


1) Function: mentor of stack and data segments 
of the User Handler processes 


Mentor  : initial segment (2) system segment 
Entry Aes 

Classif : unclassified 

Number : 3l 


2} Function: synchronization 
Mentor  : segment 31 (created previously) 
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Entry >: ll 
Classif : top-secret 
Number : 51 
c. Create Process Module 
This module contains a loop that is executed 4 times which creates 
three User Handler processes (3) and the BDOS process. All of these processes will 
have multilevel access classes to handle users with different levels of clearance. 
This module is sub-divided into sub-modules that are easier to test 


and understand. The sub-modules are : 


1) Create and Makeknown segments 
2) Fill the Address Specification 

3) Initialize the Register record 

4) Fill the Resource record 


An explanation of each module was provided in Chapter lll. The 
main point here is that the process will be created using the paramenters loaded 


reviously and each process will receive the following resources : 
e e 


Memory : 100 bytes 
Segments : 300 segments available 
Process : 1 (max number of processes that can create) 


d. Synchronization Module 


The synchronization used can be cataloged in one of four types : 


1) Main Application Program-User Handler Process. This is performed in two 


ways : 


- After process creation the User Handler Process communicates that it was 


created and returns control to WE P: 
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- During process synchronization the User Handler Process will communicate 
to CCP that a User (terminal) is active or inactive. 


2) Main Application Program-Active User Process. This is performed when the 
Active User created by a User Handler process sends a message (command + 
information) to CCP in order to execute some specified operation. i.e.. The 
CCP performs this command (calling BDOS if necessary) and returns a 
result to the Active User. 


3) Main Application Program-BDOS. This synchronization is performed when 
the Active User executes a command that requires BDOS participation, such 
as a read/write segment to secondary storage. CCP receives the message from 
the user and directs it to BDOS. When BDOS executes the command. it 
returns the result to CCP which in turn directs the result to the Active User. 


4) User Handler Process-Active user Process. This is performed when the 
Active User is created and communicates that it was created. returning the 
control to the User Handler. The same communication is performed when the 
Active User finishes execution (entering "bye"). 


When the communication 1s between CCP and a User Handler or an 
Active User, the CCP must recognize which user sent the message in order to 


return the result. The synchronization 1s obtained using the following segments : 
1) Stack Segment. To synchronize the execution of that process. 


2; Data Segment. To determine which user was activated. The CCP stores the 
previous value of the data segment of each process. When User Handlers or 
Active Users send a message, it advances the eventcount (also the 
synchronization segment eventcount) then CCP compares this value against 
the value stored previously. If the result is different it means user activated. 
otherwise CCP checks the eventcount of the next user until an active user is 
found. 


3) Synchronization Segment. To synchronize the execution of the CCP. All the 
processes know this segment in order to activate the CCP execution, 
advancing the eventcount of this segment. When CCP finishes execution, it 
advances the eventcount of the process that activated it previously and then 
waits until another process calls it again. 
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The CCP knows the synchronization segments used by each process 


since they are specified in the system parameters. The segments used are : 










(“user handler i | 32 | 40 — 
active user y [as Jas 
Duende: | e [e 
NEON 
| 


so 











The synchronization mechanisms used here are Await, Advance 
and Read eventcount, as provided in GEMSOS. 
e. Delete Processes Module 
This module will delete the processes created before. It is executed 
when users enter "bye". In addition to this, it will also terminate and delete the 
segments created in the process creation (stack and data). and will terminate the 
code segment. The success of this module depends on the previous self deletion of 
the User Handler process. 
f. Terminate Segments Module 
This module terminates the segments created previously (mentor and 
synchronization segments}. The result is that segments numbered 31 and 51 are 


now available in the LDT. 
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g. Delete Segments Module 
This module returns the space used by the segments terminated 
before, and marks free the entry numbers used to create these segments. 
2. User Handler Application Program 
The design is like that of the CCP design. The differences are related to 
the way the modules perform internally. The function of this application program 
is to create a single access level Active User according to the user clearance level 
determined during the Logon process. It is also divided into the following 
modules : 
a. Load Parameter Module 
This module creates a table with parameters that are needed in the 
Active User process creation. The parameters are the same for all users’ processes 
since each User Handler has its own LDT table. This means that they have 
independent segments. Again, Figure 4.5 shows the structure and numeration of 
each segment. 
b. Create Segments Module 
This module creates the segment that will be used as mentor of the 
Stack and Data segments for the Active User process. One difference between this 
module and the Create segment module in the Main Application program (CCP) 
is that it does not create a specific synchronization segment. Another difference is 


related to the mentor used to create the User Active process. The User Handler 
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program s code was used. because it is unclassified and can satisfy requirements of 
security. 

An unclassified segment has minimum access class constraints and 
can be mentor of classified segments. As such the segment that holds the User 
Handler code was used since it is unclassified and satisfies security requirements. 
The inverse case occurs when a classified segment is used. It can only be mentor 
of those segments with equal or greater classification. This means that segments 
with less access class cannot be created, limiting the participation of users with no 
classification level. In a multilevel system, the mentor segments must be capable 
of handling different kinds of users and segments associated with those users. 

c. Create Process Module 

This module creates a single access level Active User Process (only 
one). The access level is determined when the user enters the system. The 
difference between this module and the one contained in the Main Application 


program is the resources assigned to the created process : 


Memory  : 60 bytes 
Segments : 100 segments available 
Processes : O (cannot create child processes) 


d. Synchronization Module 


The synchronization used was explained previously; the segments 
used are : 


1) Code Segment. To synchronize the execution of User Handler Process. 


2) Stack Segment. To synchronize the execution of the Active User. 
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This synchronization takes place when the User Handler process 
releases the attached terminal, creates and activates the Active User process 
(advancing its stack eventcount), and waits until the Active User (child) finishes 
execution (entering "bye" and self deleting). When this happens, it terminates 
and deletes the segments created to support the execution of the Active User 


(stack, data, mentor segments), and communicates to CCP that this user is 


Inactive. 
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appl. program 
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terminal 


Figure 4.8 User Active Application Program Modules 
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3. Active User Application Program 
This program was designed following structured programming techniques. 
Figure 4.8 shows the modules that compose the Active User application program. 


These modules are: 


1) Attach terminals (read - write) 
2) Loop 

- Prompt the user 

- Get user input 

- Load data segment 

- Synchronize 

- Put result 

Detach terminals 


Self delete 


Cu 
Na? 


a 


Following the same structure used in the description of the Main 
Application program and the User Handler Application program. the coll 
indicated above are described individually : 

a. Attach-terminal Module 

This module assigns a terminal to the Active User process, the object 
being to allow the user to perform I/O operations. There is a specific 


Attach device call for assignment of read and write. 


— 


b. Loop Module 
This module handles the main process. It starts with the input 
entered by the user, and finishes when the user receives a result for the input 


entered. The intermediate steps necessary to get the output result from CCP are: 


1) Load Data Segment. The segment created to pass data. 
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2) Synchronize with CCP. Data segment is passed to CCP and the 


synchronization segments are activated {advance synchronization and data 
segments eventcounts; await stack segment eventcount). 


c. Detach terminal Module 
This module detaches the device previously attached, returning 
Bas, of this device to the Operating System, making it available for future 
assignments in other processes. There must be a balance between Attach and 
Detach calls, otherwise a — error will occur. 
d. Self delete Module 
lhis module holds the ending of a child process. Self delete is 
required if the next step is delete the child (Active User) process from the address 
space of the parent (User Handler). When the delete process is complete, the 
parent recovers all the resources that were assigned to the child in the 
Create process step. In addition to the Self deletion call, a segment number must 
be specified in order to perform the synchronization. This is due to the fact that 
when the process finishes, it automatically Advances the segment eventcount 


indicated in the Self delete call. 
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V. IMPLEMENTATION 


A. GENERAL DISCUSSION 
Implementation of the model was designed considering one application 


program for each process. The following programs were developed : 


1) Main Application Program- CCP (Appendix A) 
2) User Handler Application Program (Appendix B) ` 
3) Active User Application Program (Appendix C) 
4) BDOS Application Program (Appendix D) 


To this end. it was necessary to construct the following support programs : 


1) Primitive Calls 
2) Auxiliary Functions 


1. Primitive Calls 

The object of this program is to be used as an interface between the 
GEMSOS primitives at the Kernel level of the system and the application 
programs. All primitives use a record structure initialized by the programmer 
before calling for the specific operation. The set of programs developed to perform 
these functions are called "PROCE"; they were built by modifying the 
demonstration program provided by Gemini Computers Inc. and adapting them 
to the requirements of the proposed model. 

The program "PROCE" has two extensions: "PROCE.LIB" contains the 


specifications that can be visible to the user. and "PROCE.PKG" contains the 
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code developed to handle these specifications. T..1s is an ADA feature that helps 
to reinforce security aspects (Information Hiding Principle). 


The procedures developed in these modules are : 


PROCEDURE PRINITIVE SUPPORTED 
CR-SEGMENT CREATE-SEGEMENT 
DL-SEGMENT DELETE-SEGMENT 
MK-SEGMENT MAKEKNOWN-SEGMENT 
MAKEKNOWN-SYNCH Used to makeknown the synchronization 


segments (CCP-to-Active User) 
TERMINATE-SYNCHR-SEG Terminates the segments indicated 


above 
FILL-INIT Fills the resources record needed by 
Create-process primitive 
CR-PROCESS CREATE-PROCESS 


The program listing is contained in Appendix E. Those GEMSOS 
primitives not requiring record initialization (i.e.. Terminate-segment and all 
the primitives used for synchronization) were not included. The primitives 
Attach-device and Detach-device. were separated into the Auxiliary Functions 
program because they may be called in future applications that may not need the 
use of the other primitives declared above. 

D. Auxiliary Functions 

This program contains additional data structure needed by the main 
application program. 1i.e., command record, passwords record description, 
constants used, etc.. It also contains procedures and functions to perform I/O 
operations (read and write), and functions to create paraineters replacing the 
modules that the system needs but were not delivered in the NPS Gemini package 
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(The LDT entry allocation procedure for example). These were described in the 


design constraints of Chapter IV. As in the previous program, some procedures 


and functions provided by Gemini Computers Inc. were used as a basis to 


construct this program segment, with the addition of code and records required to 


support the current research. This program, called "FILES", has two extensions, 


"FILES.LIB" contains the specifications and records. and "FILES.PKG" contains 


the code developed. 


The procedures and functions included are: 


NAME 
GET-STR 
PUT-STR 
PUT-DEC 
ESL 
GET-INPUT 


ATTACH-TEW/TER 


LOAD-PARAM 


LOAD-ACCESS-CLASS 


LOAD-PARAMI 


LOAD-CHILD-ACTIVE 


TEPE 


Procedure - 


Procedure 
Procedure 
Procedure 
Function 


Procedure 


Procedure 


Procedure 


Procedure 


Procedure 


DESCRIPTION 


Gets a string from the terminal 
Displavs a string in the terminal 
Displays a number in the terminal 
Displays a string and a number 

Gets an input string from the terminal 
and echoes the input if the echo option 
is on. It also converts all the input to 
lower case 

Supports the primitive ATTACH 
DEVICE specifying if the device is 

to read or write 

Produces a table of parameters with 
information needed by the main appli- 
cation program (segment number, entry, 
mentor) 

Produces a table with the security 
access level depending on the user level 
Produces a table of parameters with 
information needed by the user handler 
program (segment number,entry.mentor) 
Initializes the Active User record to 
false. It lets the CCP load the Active 
User segments each time a false record 
is found 
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LOOK+POR-LEVEL Procedure Simulates the Logon process. loading the 
access class of the user depending on 
Username and Password 

CONVERT Procedure Assembles the command line using 
the input message typed by the user 


The program listings are contained in Appendix F. 


B. IMPLEMENTATION CONSTRAINTS 
Two factors dictated splitting the implementation into several steps thus 


making the system easier to develop and test. These factors were : 


1) Lack of System Documentation and prior experience. 


2) Time required to develop, implement, integrate and test. 


At the time this research started, sufficient information about the system 
did not exist. As such numerous system "quirks" posed additional time delays in 
the implementation process. Upper level interfaces to GEMSOS had to be 
implemented, at times by experimentation. Program development using an 
unfamiliar set of procedures and new functions is error prone. requiring 
programming tools that are still not available in this machine. Another 
implementation constraint was the time required for program development. 

A main factor related to the speed of development is the fact that a 
program, in addition to compiling and linking. requires a special process, called 
"Sysgen" prior to execution. Sysgening takes longer than 10 minutes each time, 
even if only a single line was changed. Since debugging tools were limited, it often 


took several attempts to find a mistake or the exact way of performing a specific 


53 


operation. As previously described, the "sysgen" process has the functions of 
creating and formating logical volumes in secondary storage. and creating a 
bootable Gemini System Segment Structure on formatted volumes. This 
second function is called each time a program must be loaded to execution |Ref. 


8:p. 1]. The use of the system program (sysgen) is explained in [Ref. 8:pp. 8-18]. 


E IMPLEMENTATION STEPS 

The basic approach starts with a model using the demonstration program 
provided by Gemini Computers Inc. The primary steps followed were : 

JA Single User. Single Security Access Level 

This step established the ability to create a child process and to 

establish communication between parent and child processes. The main issue here 
was the stack size. Its size had to be determined experimentally (AFFF hex), since 
it is not clear as to the correct way to measure the size. The size of the Lid is 


determined by the following constants : 


stack-size = vector-size + segment-manager-size + constant 
= 4 bytes T6 bytes AFFF bytes 


The size of the last constant was derived empirically, and is 
apparently a combination or the amount of memory needed to create a child 
process and the number of processes that can be activated simultaneously in the 


system. 
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2. Several Users. Single Security Access Level 


This step proved the creation and synchronization among several 


processes. The key points were : 


a) The hierarchical structure of the system required special procedures for 


handling. A procedure was created to dynamically determine the next 
segment available in the system. This procedure was written to associate the 
next segment number to be used in process creation, and the entries used by 
each segment. The resulting table of parameters created by this procedure 
was previously shown in Figure 4.7. 


A synchronization method among processes was needed. which included the 
structure needed to determine which process was activated (two 
synchronization segments for each process). 


Communication between processes was developed (passing information). The 
procedure Move bytes is considered to pass information from one process 
to another, an example and further explanation is provided in [Ref. 9:pp. 5- 
6]. 


S. Several Users, Multilevel Security Access 


This step introduced the security constraints needed to work in a 


multilevel secure system. the key points were : 


a) Creation of a Child process (Active User) by another child process (User 


Handler) previously created by a main application program (CCP). This 
addresses the resources passed by the parent process. A balance was 
achieved between the resources passed by CCP when it creates a User 
Handler process. and the resources passed by the User Handler process to 
an Active User process during its creation. In other words the following 
constraints were applied : 


(User Handler (1 + 2 + 3) + BDOS resources) < CCP resources 


Active User resources < User Handler resources 


Development of three kinds of synchronization : between Child (Active User) 
and Parent (User Handler); Grandchild (Active User) and Grandparent 
(CCP); Parent (User Handler) and Grandparent (CCP). Different segments 
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Figure 5.1 Main Application Program LDT 





were used to synchronize the execution of Active User and User Handler from 
those used to synchronize Active User with Main Application (CCP) or User 
Handler with CCP. The synchronization of the Main Application program 
with all users was implemented through the same segment. 


Restrictions imposed on segment handling due to security access levels; 
segments with equal or greater access class must be passed between processes. 
The security access level is composed of two parts : Compromise (Observe) 
and Integrity (Modify). This research worked within Compromise 
constraints. Integrity involves the system's rings, 


levels YE 
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compartmentalization (audit, operator. programmer, etc.), and the concept of 
ring brackets. In order to keep the model simple. integrity was not 
considered. The execution of each primitive checks security constraints and if 
satisfied, the execution continues. otherwise the system aborts for security 
reasons. 


d) Main Application Program Segment Distribution. Figure 5.1 shows the LDT 
table including all segments needed by the seven processes (3 User handler 
processes. 3 Active User processes, and BDOS process). It also presents the 
segments used as mentors of other segments (31 and 44) and the segment 
used to synchronize the CCP (41). | 

Er SYSGEN SUBMIT FILE 


Appendix F shows the Sysgen Submit File used to define the structure of 


the application programs developed in this research. 
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VI. CONCLUSIONS AND RECOMMENDATIONS 


Ae CONCLUSIONS 
1. System Operation 

The security chéck starts with the logon process. If the operator 
has a valid username and password that is recognized by the system, then the 
security level of this operator is adopted for the terminal, otherwise the system 
continues prompting for the username three more times. Failing a correct 
response. the system restarts the logon process. The main testing performed was 
the validation of the segments defined in the submit file. If thev were "classified" 
the operator had to satisfy the security constraints in order to use this 
application. Otherwise. the system aborted the execution and prompted for a new 
logon operation. 

The application programs work according to the design, dynamically 
loading the user's security level in the "terminal logon" process. Access is limited 
to those users recognized by the system and restricted to the use of information 
based on the user's access level. The interaction between Active User-CCP-BDOS 
is performed within security constraints (only compromise). The messages passed 


are "processed" by the CCP and results are returned to the user. 


De Svstem Performance 
Because of the NPS system configuration. the performance of the 


application program is degradated for the following reasons : 


- Single processor emulating parallel processing 
- Secondary storage consisting of only floppy disks 
- Programmed I/O environment instead of interrupts 


B. RECOMMENDATIONS 
1. Hardware Improvements 

A system upgrade should be considered which at least addresses 
adding a hard disk to the present configuration. This would provide an 
improvement in the access time required to handle segments and decrease the 
response time in process creation. In addition, there would be a considerable 
reduction in the system development time, i.e., the time required to compile. link 
and sysgen, frequent operations in the development phase. 

Additionally. to take full advantage of the machine’s parallel 
processing abilities, more processors. two at least. should be added. Memory 
expansion would relax many restrictions currently imposed on process creation as 
utilized in this thesis work. 

De Software Improvements 
The current system as delivered was incomplete with respect to the 


modules necessary to develop application programs in the Janus/Ada language. 
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Software improvements. should include better documentation related to the 


system and debugging and programming tools for the application programmer. 
3: Future Research 
As a result of the research presented in this thesis, areas of related 
research should include the following : 


ae Directly Related to this Research 


(1) Inclusion of integrity access constraints (modify) into this current 
implementation. In this thesis, system integrity was considered at its 
minimum level in order to execute the application programs without 
limitations. Since this is a main issue with respect to the information 
security. a careful implementation should be developed working in this area. 


(2) Development of interrupt driven environment in the current design. 
The initial design using the BIOS module is an event driven system. This 
design approach was not used due to present hardware limitations as 
explained in Chapter IV. "Initial Design Constraints". 


(3) Addressing (solving) the issue of a restricted LDT size. This 
restriction is due to a limited number of application programs or application 
program complexity. since an upper bound of 27 segments are available for 
the user from the bounded LDT of 52 that a process can have. 


(4) Implementation of the "terminal logon" method. This function is 
simulated in the actual development through a module that loads the access 
class of a recognized user. A possible solution would be the conversion of 
those libraries provided by Gemini Computers Inc. from Pascal language into 
Ada language. 


b. Related to Secure Mass Storage System 


(1) Development of software "crossbar" in the Concentrator for 
integration of the Gemini computer into the Naval Postgraduate School 
Laboratory as a Secure Mass Storage System (S3). 


(2) Implementation of BDOS using a design for a one-level segmented 
secondary storage system and a large capacity hard disk (mass storage). 
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APPENDIX A - MAIN APPLICATION PROGRAM (CCP) 


This appendix presents the Main Application Program code. 
including the modules developed to handle the dynamic sharing of system 
resources. Instead of the present system consisting of several programs. each 
containing oie module. all modules are grouped into one main program with the 
indicated modules separated by comments. This program is called "PRMAIN" 


and is listed below. 
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pragma rargecheck( off ); pragma detug( off ); 

pregme arithcheck( off )$} pragma enutab( off ); 

WITH agate, agatej, aril, alib, alibj, strlib, util, proce, 
files; 

PACKAGE BOLY rrmein IS 

USE agate, agatéej, ari, allb, alidj, strlit. ve ee 

files; 
— MUR ONCE MOREM BS SIS SIS TS de de de e e de de de de e e e de de de dese de de ie oh aie aie ais seats sie sig cig ae ais ofc ote ote A MM «A XA 


Constants used ty the trograr 


= See aay --> assigns logical device i*to write 

== DA ONES --> assigns logical device ? to Teme 

P LO EO --> main progrem uses port © of THe RS 
= PREDOS ——? process numter dmm hes Bl 

STI mM CONS TANT 1a vezer.: — iy, 

STORIE CONSTANT integer := Us 

LO BEC rer CONSTANT integer := ð; =- port zero [INM 
NUMBER OF USERS : CONSTANT icin al c= 3; 

NUMBER OF FEOCESS : CONSTANT integer :- 4j 

PRBDOS : CONSTANT integer := 4; 

NUMER orn Cet SUES CONSTANT integer := 1: ee P GIN 
MEMORY AVAILABLE CONSTANT integer := 150, 

SEGMENTS AVAILAELE CONSTANT integer : = soo, 

~~ Varietles used ty Mein programe 

w class access class; -—- secwrity aspe 
Su@cess integer: nou 

els : attachsstruee: 

mode r attach struct; 

denen: i integer: 

def seg du T 4 

TI integer; 

synenr seg integer; 

CIO: Sonata ees 

EE input-messages 


CONDE Sondas Child res ower cies 


init ri. process ais 

ES UE string; 

class access class; 
mentor : integer; 

entry integer; 
Se seg eccess type: 
see aun ber irteger; 

CCP. BUSY toolean; 


Ez 


ch peremeter : rl paremeters; 

ch param : rl param» 

oo leven. - user level, 

ch access level : level _reccrd; 

ch ch user synchro : users active: 


en on eve val EE 
proces Te cer: 


mo active users : integer, 
eve Value : integer, 

Sage active : integer: 
active user : integer, 


index * integer; 
-— MAIN 
BEGIN 
wat ect rl def(): -—  ** this sentence is 


== oullestory 


wie wie wie ale ale ale ale ate slo als vio ale ale ate als ale ale sla KW. ale ais vte sl. wis ale ale sie sie y. ale zie ^ a sie wie ate ate ale sie ve whe wants ale als ste ale ale ale a e wo sir nr e's ale ales 
em emm ey Ld hu ey» om +; aee ES e; >... Us Zus 2> +) > . e e [lw eye ».ye Zum 1> Zus r Zus Zus Ss Zus Sr hd e; ey e,» ` Si e kad gu us Zus ei 1 sman e. e ZS op ya e» ew e Nœ Zus Zë EIX dun 1 A 


E Paine C mee NeS port.f£er writing. 

c Inis centenes is optional ardi is weed to display messe- 
EC Doce ded ty the main application program on tre 

=~ screen . 


eae tew. IO PORT, STDIO_W ;3 


EE EE EE ee Gëft ee e mMin class ): 


wie ale wis ars yz ale wie als ale wle ale slo ale ate ste ale ale slo ale ale «so slo «lo ale ale sle ale sde ale ate s'e se vente ao alo me vts ye ale sae ste ala a'y nie nie ne nle ate ats weno o mir toto 
eya Ld hd eya ey ye ^ e. eu 1> A> eu ayu 1> sy e.» ey» 2> 2> Sp dh Zus Zus Zum Zus ^ eye ^ ^ g> +" "i i Zus e a 2> oy Zus Su 4 Ss a ey ey Ld hd ep e e Ld hd Ld bd Zus eya eya ka yw Ld hd eu e e. a 


== LOAD FARAMETERS MODULE 


== This module. assiens fixed parameters to each process 

e oc rea ted. The parameters are mentor number 
== entry number, segment numter. They ere used to create 

== e@ach segmert needed ty the rrecess to te created 

<= (USER HANDLER). There is a group of these parameters for 
== the stack, cece, and date Sexrents 


load param(init, ch param); 
-—- load child actives array are additional parameters 
-- used by the main application program to synchronize its 
-—- operation with the ACTIV? USER processes 
loed child activeí(ch ch user synchro; 
-- load access class that each process will have. In cur 


== Case ell the processes will te multilevel. Minimurnr is 
== unclassified and maxirum is top-secret 
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load access class(init,ch level); 


w Cless :- init.resources WERE 


ene slo alo le Mb s EU ale ale ate ale ale sie sl sales ale sz SIC > Së S S AS >: ys aia E e 2> e e ale «le «ls iz ste ale sz ale ale sie ale ale sie sis sls wile ale ale ale ye ate alaale ale ale ale ale 
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leer ale ale sie ale 
A5 Ss eya SS es d 


sie ale ale ale als ale als als ale ales D 
` 
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CREATE SEGMENTS MODULE 


This module creates the segrents needed for the 
following : 
a.= Mentor of tke stack and data segments of wea 
process and FDOS process. The stendere elec 
was use entry S405 the mentor intial _segmernti2) 
application mentor” and call this new segment 
91 in the LDT of the mein 


b.- Synchronizaticn segrent. Its menton a 
segment created in the previous step, entry il 
of segment_ ¿1 was elected and this new sez mosni 
was called 51 in the«~same LET. The access CEEE 
is TOP-SECRET 


ch access level :- ch level(í(1): 

mentor ini ni il 
entry := Ee 

class :- jnit.resources.mir class; 


cr segrentíinit,mentor,entryx,cless,success)]; 

if success y/- CHR 
put succ(" success value 20 is" ,success,w class 
put ln(STDIOoK welsss, ) 

FND IF; 


ae 


mexexwcwn this segment with numter Jl 
seg mode "et vr 
seg_nurter := ST; 
mk segrent(init,mentor,entryx,seg number, 
seg mode,success); 
lp oues c then 
put succ( success AS “success, w_ class); 
put In(STDIO HE u CI 5 
EN DERES 


create Synchronization segmrert (mex access CSS) 
class :- ch access level.max; 


mentor := 31 -- segment 31 
entryx :- 11 


C4 


A mentor eatryx,class,success); 
ss 0 then l 
EE EE erte  ,success,w class): 
put in(STDIO W,w class, "); 
END IF; 


makexnown this segment with numter Ei 


seg mode :- n as 
sez nun er d 51; 
mk segrent(init,mentor,entryx,seg number 


Ew success); 
if success A then . 
put succ( success value Z4 is ",success,w cless); 
pue CIDIS w, class, ); 
END IF; 
Synchr seg := seg _nurter; 


Swapir this segments 
swapin segment(synchbr sez,success); 
DE UUTESS /- y ther 
DEM Dc Success Value AT is- „success, class) 


RE Ee 
EN D IF; 


= 6 
ww o. 
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CREATE PROCESS MOLULE 


This redule creates 4 Lrocesses 
LZ user handler and 1 BDOS) 


put In(STLIO W, w class, PEGIN PROCESS CREATION” 


uo elt 


ition ieee EACE PROCESS IN TEE SYSTEM 


process 1 ====> TERMINAL SANDLER 
process z ====> TERMINAL BANDLER 
mreeess <ó ====> TERMINAL HANDLER 
process ¢ ====> PELOS EANDLER 


index := 1 
a 


Ene AMM ERRIOF PROSISS  LOCP 
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ch_varameter := ch pararl(index); 


Ie sesivi1lRere Pulitilevel access class 


Le sie ale ale als ale ale ale ale als ale ale ale ale ale als sie ` sl. sesesests ale ale ale mie sl: ate we ye sia ate stale ale sie sie aile sla sie sle sie wie sie wie wl 
`» - >» 
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es? £ peste ste ste sles exe s este ate ale ale sie ale als ats ate sie sl 
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< ë 


ch eccess level := ch _level(1); 


lead the resources that tne child will have 


memory --> 198 (converted to B24 format) 
segments > . 32£ 
processes ií (max nurter of proc. thet cen create) 


ch rescurce.memory :2 MEFMOSY AVAILABPETS 
ch resource.segments := SEGMENTS AVAILABLE: 
ch resource.rrocesses Ce NUMBER PROCES OMS: 
reed evc(synckr_seg, eve_value, success j; 
cr process(init,ch_ paremeter (ch accccsm CIEN 

index, ch resource, synchr see, success); 


synchronize eacn time to let the new process Ccispleays 
its messege (word USER) 


we 


stes Sie x coe als sie $e a al, S E sie sie ai: stos E 
$24 KS Sa éi 2.5 E * eS SIS AS 02 * eS nS AS n e. eS nS AS TS TS Ia. MAS IAS AR 


await(synchr seg, eve_valuet+i, success]; 
incex := irder ei; 


end LON 


sese e se sie ease > 


V 
v 
€ 


Â e ale Ss s'e ale ale ale ale ale sl ‘ , ta! A 1 t loo q) le > EE Le ale le als le 
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SYNCHRONIZATION PROCESS ANE LCOP UNTIL NO USER IS 
ACTIVE 


This module executes the synchronizaticn among 
processes, Starting with the synchronizetion witn the 
user s handler processes and then with tne active IN 
processes when these have teen activated 


ACTIVATE USER’S FRCCESS 

This ster stores the value of the eventcounts QOEM 
users’ segments, the otject is to know which user 
sent the message 


index := 1; 
while index <= NUMBER OF USERS LOOP 


read evcí(ch peram(index).seeg number stack, 
R ch param(index).evn. count, success E 
read evc(ch parer(index).seg number dete 
ch_param(irdex).evn_count datd,sueceee 
advance(ch param(index).seg number stack,success 
index i= iindern i 


+0 4. . 


A A 4 


(LD 
O) 


end LOOP; 


LOOP UNTIL NO USER IS ACTIVE 
This loop is the mein process s module in the whole 

eye EM begause will Tre in Exc cnaxugtil all the users 
finish their jobs (enter tha word tye”) 


CCP BUSY :- FALSE; 
no active users := Zi; 
While no =ctive Users < NUMBER OF USERS LOOP 


if CCP_BUSY ther 
CCP BUSY := FALSE? 
else 
reađ_evc(synchr_seg, evc_ value, success ); 
await(synchr seg, eve_velue+1, success ); 
ESA 


SC LIYE USBT :- 9; 
E Z 1; 


determine the user thet sent the message comparing the 
event count velue, different value means that user was 


while index <= NUMBFR_OF USERS LCOP 
reed evc(ch param(index).seg numter dete, 
evc active, success jj 
if (eve active > 
ch param(index).evn count data) then 
active user "e index; 
clip Deter index j.evn count date i= 
CV Cmae tives 


index := NUMBER OF USERS + 1; 
else 
WOE =- Index + 1; 
END IF; 
Way LOTE: 


checks if the activated process came from an user 
handler or an active user. If came from the active 
user it means thet the veriatle “active user’ is in Z, 
otherwise it mears that the communication is between 

a user handler process and the main program (2CP) 


if ective user /- 9 then 
def seg >= lit mx selíldt table, 
ch paramr(active user).seg number data); 
def off  :- 9j 
ri def size :- input message'SIZE/8; 


e 


move bytes(def seg,def off,get ss(), 


ch_in’ADDRESS, rl def size); 


ch rarameter :- ch preram(active user); 
if ch ch user synchro(ective user).active then 


ch ch user synchro(ective user).ective Dm 
FALSE: 
terminate synchr seg(init,ch parameter, 
ch in.input cless,success); 
if success /= QUNM NEM 


put succ( terminate '",success,w class); 
put 1n(STDIC W,v class, ) 5 

end ifj ww F 

if ch in.input cse - Ee > then 


no active-users :- omo sctlve USE 
elce 
advance( 
ch param(active_ userj.seg numter stack, 
success); 


tr] 


Nem 


rei 


> 
, 


if ch in.input one /= tye then 


END 
ELSE 


index 


make know syrc(irit,ch perameter, 
ch in.inp M active use 


Gm 2h userasynohro. SUSSSECEE 
COGN “User _synonro(es tive user).active e 
TRUE: 
advance ( 


ch perem(active user).seg numter SE 
success); 
e c 
no active users E USE LZ 
FND IF; 
’ 


:= 1; 


while index <= NUMBER OF USERS LOOP 
if ch_ch_vser_synchro(incex).ective then 


r 


Í 


ead_evc({ch_chħ_user_syrchro(index) .522 EEE 
ch ch eve val, suecescon 
f ch ch eve val > 
ch ch user synchro(index).evc data then 
active user :— Index; 
zh ch üser synchro(index).evo data E 
A cs 
index := MBER | OF _USERS E 


END IF; 


END 


IF; 


index := index + 1; 
END LOOF; 


if active user =V Uez 


put 1n(STDIO W,w class, active user error’): 
FND IF; 


def seg Sa eh l!dt tatle, 
EMEN 1 xmesscenrolactive user).seg data 
def cff "rs g; 
ri def size :- input message SIZE/8; 
move tytes(def seg,def cff,zget ss(), 
NECEM PUES eI def size); 


coner chu wcclass,eoh cut); 
pass the segment to prbdos process 


def seg :- lit mk sel(ldt tatle, 
ch param(PREDOS).seg number data); 
Ger Ort := 05 
ri def size := comard lire’ SIZE/&:; 
move btytes(get_ss(),ch_out’ADDRESS def sez, 
des a f$ ri def size ) 


Meee? TOS PROCESS 


advanceích paran(PRRDOS).seg numter stack, 
success ); 

read evc(synchr seg, evc value, success); 

await(synchr sez, evc value-1, success jj 


DR SDOMMMSONONSNITIIMEUIT HAS TO Be PASSED TOC THF 
USER 


Terez e lit mk sel(ldt table, 
ch _ parar(PrREDOS).seg numter data); 
OS == e; 
St size = Comand line SIZE/8; 
move tytes[(def seg,def cff,get ssí(), 
ch out “ADDRESS, rl def size); 


essemtle user messege with the result 


Co result i= en out. result; 


pess the segrent to user process 


def seg ¿= lit mk sel(ldt table, 

ch ch user synchro(active user).seg deta): 
demon = := 05 
ri def size :- input message'SIZE/B; 


c9 


move _tytes(get_ss()enh_ im ADDRMSo Maer seme 
def cff.rl dE ST CE 


RSS advance the process that executes the commana 


advance(ch ch_ user synchro(active user).seg stack, 


SHecess mS 


BND IF; 


active User 375 
index 1-405 


mi determine if while CCF was busy executing the previous 
-— commanés, some user handlercr active user sent 
—--— a message 


mm US TARA 
== determine the user thet sent the messeze comrpering the 
-— event court value, different value resans tnat Ser 


while index <= Nii Cs Use. LOOF 
read evc(ch_ param(index).seg rumber date, 
EVC ACU Vomit CEA 
if ‘evc_ active > 
ch param(index).evn_count data} then 
CCP BUSY := TRUE; 
active user := index; 
index := NUMBER OF_USEFS + 15 


Neer. EE NM 
; 


== ACT [Viet re 
=$ cetermire the user thet sert the ressege compering the 
-— event count value, difíerert value means that user was 


index := 1; 
if active Mer E 
while index <= NUMBER OF USERS LOOP 
if ch ch user _synchro(inder).ective tren 
read evc(ch ch user synchrolindex).seg qum 
ch ch s@vc wat, Specs 
Lf Ch. CAMEO ci 
ch ch user synchro(index).evc datam 
CCP BÜsY :- TRUF; 
index := NUMBER OF USFRS + 13 
END IF; 
¡ADA 


dei 


index := index + 1; 
END LOOF; 
E 


erd LOOP; 


AS AAN SAND SAT? UNTIL CRILD DELFTE ITSEF 


ch_out.command := ‘tye P 
def seg :- lit mk sel(ldt tatle, 
i ch_param(PR3DOS).seg_numter_date); 
Ni a > 
ri def size :- comend line SIZF/8; 
move tytes(get ss(), ch. DD So des ses, def cff, 
a size); 
advance(ch param{PREDOS).seg numter stack, 
success ); 
reai evcísynchr seg, eve value, success) 
await(syachr sez, eve _value+l, success | 
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at EH 


This module eliminates the user’s handler processes created 
to support tne active user processes, since each 

NS Teqmir=CuGi a speclit@c Numrer of segments thet 

MENE CENSOS >S module, tnese will 
Pemuetrine ved ong Geletec in this ster 


moe Soi Sav; 
MIRE prRores < NUMBER OF PROCESS LOOP 


eoe ae E ES, SUCCESS A7 
put succ( child deleted =, success, w_class ); 
puun OIDO Y, vacless, ); 


termirate segment(ch parem(proces*1;.seg number-stack, 
success ); 
e See ment a perar serecesti jase. numter dete, 
success E 
terminate segment(ch param(proces*1).seg nurter code, 
success jj 
delete segment(ch_ param(proces+1).mentor_stack, 
procesti,success); -- delete entries 
delete segment(ch. perem(proces+1).mentor dete, 
proces+5,success);  -- delete entries data 


id 


Fx 


iJ 


Qelete segment(ch param(proces*1).mentor code, 
proces+6,success); -- delete entries code 
PPOCeS EECH 


end LOOP: 
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TEPMINATE SEGMENTS AND DELETE SEGMENT MODULES 


These modules will terminetse and Gelete the segments 
created previously to hold the mentor segment used db 
create the user's stack segments ard the user's date 
segrents, and the synchrcnization segment to 
estatlish communicetion emona vrocesces . 


terriaate and Telete synchron iia lose na 


-— segren tak i 
-—— entry aE 


terminate segmentí51,success); 
delete segment (Z1,11,success); 
terminate and delete mentor segment 


terminate segment(Z1,success); == segment 31 
àelete segmrent(init.initial seg(2), 5, success ); 
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put 1n( STDIO Ww; w chi RENEE COOD RYF ate aeai 


< ê 


Infinite loop to prevent trac. COUA c oman E M 


eventcount. 
success := @; 
while success = Ø L 
success "e C 
NND. GE 


OF 


s. 


prmains 


Ce 


Per oN OES B= Usth AANDLER APPLICATION PROGRAM 


This appendix lists the User Handler Application Program 
code. Only one program is provided since the three different programs. one for 
each different user, differ only in the port used on the RS-232 board. which 1s 


indicated below : 


Port 6 User 1 
Ports User 2 
Pert o User 3 


ihe programs are called PUSERI,. PUSER2, and PUSERS. 


The program listing for user 1 is detailed next. 
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pregme rengecheck(off):pragmre detugíioff)spregma 

arithcheck(off); pragma enumtat(off); 

WITH egete, egete), arl, el1b, elit}, striicvc, IMS eee 
Dee 

PACKAGE ROLY puserl IS 

JSE egete, egetej, ari, elit, alitj, strlit, files ues 


proce; 
== AD A E BES SIE SIS YS BS SIE DIK BIS BAS 35 3 IS OS DIS BIS DIS DAS 3,5 348 3,5 215 2,5 3,5 31S 3,5 2S 0,5 ys 3m epee 
== Constants used ty the prograr 
-— STLIO h -->  essigns logicel device ita yee 
E SUR --> assigns logical device tomo. 
== IO PORT --> assigns the ports according Wi tae 
=> follow deteil 
-- puserl T? port 
-- puserz TA DOT LU 
= puserz TE DID TIE 
ÓN PS e --> assigns preess zumter 1,2, for pase 
-- puser2 and puserí respectively 
STLIO M > CONSTANT integer :921 
S uno : CONSTENT in Teren M 
iQ cx : CONSTANT integer :- 65 
= RU OCESS : CONSTANT ODE CMM 


“EMORY AVAILABLE : CONSIANTE EEN 
SEGMENTS AVAIL AFLE 3: CONST AN (aie Sones: = 
NUMBER FROCESSES : CONSTANT invtemier =: -—= 2 


==  Verietles used ty the progrer 


w class ; ecGess Chass, 
success : intezer; 

ch lp 37 2c temes sees 
date def size : imteger, 


def off : integer; 

def seg : integer; 
cheve ayol EE 

eve ch val : integer; 

ro SR : String 
userrame : string(8); 
password : string(8)5 

el Mele Ss > Ocasion 
chyn o ource : Chil ce resoumecs 
eco : ESOS 

end prog : tooleens 


ch access level : level_record; 
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Ch ` 
entryx : 
mentor 

seg mode 

seg rurter 
parameters 


en 


IE meser level; 
integer; 
integer, 


integer; 


SE Ly 


pe: 


Tl parame Grs; 


KA e alo xls 
ays ays es eu Z i482 EAR? 


"ac 


-æ ad aae 


TILO 


tO indicate 


uec 
Dogs nos 


) 


vis slo vis ale yie n’a 


iit srr oprocess del; 
a MAIN 
Begin 
xu eceurl def(); == this sentence is otliszetory 
m A o DAD se 
mee ALLACH TERMINAL MODULE 
Meee as @caule attaches port X to its process ino 
mm use 1% in 1/0 operations 
SS attach terrinai as write device 
Eech tew 10 PORT, STDIO Ww); 
WENNS >> I41t .resources rar class; 
oe attack terminal as a vreed device 
EE SIDO Ry 
== indicates that was activated ok 
A SO class. USER); 
== synchrcaize with the main application (CCP) 
aoe tnat it wes eated ok and ellow continued execution 
ue U5srectue ewalt operatcr. It means that the rro 
g-—i.unti! tee main application returns control 
ae Lrocess 
EE El eet ee A 
read evc(init.initial sez{@), eve_ch val, success ); 
SUM Die  seg(0), evoe Cul SUCCESS |); 
ee BEAL BS BIS BS SIS SIS TS BE BA TS FS BIS OS NE BIS BS TIS TIS e aen de ale Ae ole ale siecle ale sig steals ote 
e Ne CC NOE LOEO de de de e ze de ee K ex ate ois ale ae ote 3% ote ole oe ox ox EE A COR 2COCKO 0 de e de e de 
con eke TERS MODULE 


This medule assigms parameters to the = erceesse m 
will create. These parameters are rentor number, entry 
nurter, and segment numter, used ty stack, code ana date 
segments needed by the vrocess to be created 

(ACTIVE USFR) 


load parami‘init,ch peremeteme 
lcad access class(init,ch levelj; 


end prog :- false; 
while ot end pros LOOR 


slo abe vls nto ala ale ale ale ye wle aly ate ale ale ale y. ely ye ale ats ale ate ele aly ale ale alee zye owe aleanls ale als ate lo aly ate ale als ale atv ale ate ale wie ale alo als ale 
us du ê (X Ss ym OLY Oye us ds dd Zus e Ld hd en LX e eu ya Ld hd eye eya wQa- o," 719 gun gun Su SÄI ye a Sie e, 94^ eu r> 2% E >. Së 2 ER * Zus >: Sum o> us AS Zus ^19 e, 2,6 Sr z Zus Zus 7,5 Zus 


LOOP MODULE 


This module executes several operations until the opere- 
tor enters the word bye . This means that the users work 
is finisnei and termiantes this prce@ss execution 
5tejs ems Tue? die: 


a. Clearance Tremi aena 
USERNAME and PASSWORD (login process) 


t.- Create and makekncwn mentor and synchronization 
segments 


c.- Load the chilá's resources (this will be 
subtracted from the perent resources) 


d.- Create child process (ACTIVE USER) single level 


e. Detach the device used for I/O, it will te used 
Ey ond 


f{.- Synchronize with the child created to indicates 
what was created (USER CHILD) 


g.- Synchronize with main avplication program(CCF) to 
indicate that an ACTIVE USER wes created. In turn 
CCP will mekeknown the segments thet ere synchro- 
nized with ACTIVE USER (45,46 for usert; 
47,4€ for user2. 40 c ERE CIR 


n.= Syrchronize main with active user and wait until 
the acti vemuser Has e SO 


i.- her ACTIVE USER termicates his jot trencin 
handler recovers the resources assigned to his 
child end terminetes end deletes the segments 
created to te mentor are synchrenizatior, plus all 


the segments needed to create the child 
(loaded in ster Ei 


MIO IEC? tor indicate thet ACTIVE USER 
is not longer active 
END LOOF 
clearance identificeatior 


blk scr(STDIO W,w class, Ji 
put str(STDIO W,w class, USERNAME ^); 
ec := trues; 
username :- ' j 
usernare "e get input(eco,w class); 
put l1n(STDIO W,w class, ` T -— put cursor in next line 
if username = "rye then 
end prog :- TRUE; 
else 


put str(STDIO WV,w class, PASSWORD ^); 
eco := false; 
AS ege 

pesswcrd := get_invutlecc,w_class); 


putain SIDO o i 
lock for_level‘userneme,password,ch level,ch class); 
euEENMEUNTentor to tbe"chw'd process 


Smee CESS leue lcchnaleue 

Mentor <= IML. init reolt es 

entryx := 3; 

Daa ess.: = Ch eCCeseeteve. min + 

Creole tnewmertor segment 

cr segment(init,mentor,entryx,ch class,success); 

I| NM e M" them 
put succ( success value 04 is ",success,w class); 
En eo SIDO YA CHE s 

END IF: 


Ns -—-INESCCessS class 
í \ e 
\ 1) 


1 


makerncwn this segment- 


SeA mode Tw 

seg numter := 31; 

mk segment(init,mentor,entryx,seg number,seg mode, 

success); 

if success /- @ ther 
put succ( success value (4 is ",success,w class]; 
put ip(STDIO W,w cless, A ` 

END IF; 


CimecGeom level emin := ch access lewel.mex; 


—- Single level 


fa 


load the resources that the caild mil le 


memory -—» €@ ( format Bee) 
segments --> Jae 
Processes => 25 


ch resource.memory ‘= SWE Ora Se. 
ch resource.segments := SEGMENTS AVAILABLES 
ch resource .processe@s := ¿A SO 


SYNCHRCNIZATION : code segment will eve Are 


synchr. perent emd itsS"chau lc e 
initial seg(2) is used to synchr. 
child with main application program 


cr process(init,ch perereters,ch access level, 
process,ch resource,irit.initiel sez(2;,success); 
if UGG /= a then 
put succ( success value 9€ is ",success,w cless!; 
put In(STDIO Weweelesss. s 
ENT IF; 


read evc(ch parareters.seg number code, 
ch evc val,success jj 


detach device(STDIO V, success); 

detach device(STDIO R, success); 

ewait(ch paremeters.seg numter code,ch evc val-*l, 
success); 


synchronize with main application program to creeme 
segments te hold stack and deta (will be used as Synchr. 
segrents with the new process) 


def seg 1it mk _sel(ldt,teble,init.initiecl SAMA 
def off := 0; 

ch_in.input_ oe := USeT NAMES 

ch in.input result := 5 

ch in.input class := w_class; 

dete def size = a input_ message SIZE/8&); 


move tytes(get_ss(), ch_in’ADDRESS, def seg, def off, 


data def size); 


synenronizetion process 


advance(init.initial seg( 


5) suc ; 
advance(init.initial seg(2), 


SAC ueste s 


Wee 





read eve(init.initiel seg(d), evc_ch val, success ); 


al ses (2), evc ch val+l, success ); 


reed evc(ch perereters.seg rumter code, 
ch evc val,success Ji 


edvence(ch peremeters.seg numter _steck,success); 
Ml aa til child self delete 


parameters ses. number code,cn_evc val+l, 
Suecess); 


if success /= Y then 
put succ( success value 1€ is ",success,w class); 
p MED ThIO Wow.class, O); 

ENL A; 


attach I/C terminals again end delete segment 
creeted for the child process 


attach tew(IO PORT,STDIO V) 
avvecn ver( lO POM STDIO E) 


celete segments 


terminate segment(ch parareters.seg numter stack, 
success); 

termirate_ segmentech parameters.sesg_ number code, 
success); 

terminete segment(ch _ parereters.seg numter cata, 
success); 


delete segment(31,ch _peremeters.entry_steck,succe 


SS 
delete segment(Z1,ch parameters.entry date,success 


^ 


t 
e 
9 


Ln 
O 
Ca 
TD 
fv 
CT 
(D 
bac 


. 
, 


terminate segrent(31, success); -- terminete mentcr 


delete segment {init.initial seg(1),3,success):; 
child delete(PROCESS-1,success); 


communicete with main @pplicetion rrogrem to Gelete the 
s€grerts te hold stack end data that were created to 
eynchronize main with chiid 


CMM) 
def off :- £ 
ch in.input one :- usernere! 


Meseta. terle 1rit.initial segí3)) 


ch in.input result 3 
amina pu class : 


, 


N Class; 


[29 


H 


date def size s= (input omesseces 
rove_tytesíget_ss(), chin ADDRESS, d 


data 1er s TOS 


eet Synchroml IE (on oes 


edvance(init.initiel 
alvance(init.initial 
read evc(init.initia 
await( init.initiel_ 


end if; 


end ICOP: 


S 


. def OSA 


, the control will retur» 
== main application program CCP 


Seater success ); 
_seg(2), success jj 
1 sez(0), evc ch val 
segíC), evc ch val«s1 


T 
9 


SUCCESS 
SUCCES 


— synchronize with main application program tc tell that 
— the user no longer will use the terrinel 


li 


cef Ses 
COTO UE 

eh in.in put- one ER 
ch in.input EHS) 
ch _1n.10 Put CSS cl 
Gata def size := ( 
move tytes{zet_ss(), 


se 


W 


inbut_ message SIZz/ 


e 


rname; 


, 


ON oes 


h_ in’ADDRESS,def_ 


date def size); 


det ach _device( STDIO R, successi: 


detach device( STDIO W, success ); 


advancefinit.initiel segl3), success ); 
self delete( itit.i7ithalesee( EEN 


if successi ISTER 


attach tew(IO PORT, STDIO Y Jj5 


put_succi succeser 1: 
END if; 


1x 


NL ust 


eg 


„SUCCess, w class) 


nn 
e 
= 


)5 
ez, dei aca 


X s 
P 
17 


lit mk sel(idt teble,init.initial SOM 


Mie ASE RES? PLICATION PROGRAM 


This appendix lists the Active User Application Program 
code. Only one program is provided since the three different programs. one for 
each different user, differ only in the port used on the RS-232 board, which is 


indicated below : 


Pone 6 User 1 
ort.) User 2 
Port 3 User 3 


The programs are called PRCHL1. PRCHL2. and PRCHL3. 


The program listing for user 1 is detailed next. 
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pragma rengecheck(of 


f)ipragme detug(of 
pragma arithcheck(off);p ( 


i 
ragra enuntat off); 
WITH agate, egetej, erl, elit, alrgy, strilit, TMe Sr 
PACKAGE BODY prchli IS 
USE agate, agateéj, aril, alit, TI 


mabe a! 


als oe ale a ~ = ~ e i t lo al ô ale al le wb 2 
GE SDR HS AS AK BE SSS AS BRAS BE RAS SRR AS Se IS AE AS AS TS AS HS BS BC SER OS BROS SE ES BE OYE AE ENE OS SE OK OAS DIS EE 


ato oho 
— — ege qu yn eS 


~~  Ccepstants usedoby tir Droch 


=> STO Oé > assigns legical device 1 to nie 
E SLD pO S» assigns logical device 2 VO NEEGE 
> IO FORI -~> assigns the pcrts eccorcing with 


-— fclicwintna ieron S 

-— puserl EDOCTUS 
um puserz Exc DUM 
== pusera O TUS 
OS >: CONSTANTE PM 

STC IOR > COMMS tart intecer E 

L es : := Es 


CONSTANT ebe 


== varietles used by the progrem 


w class: access clase 
SUCCESS. OUO 

ch in : irput messe Si 
data. det size s: Imtveren, 


def off : integer; 
defe j| In beeen: 
evc oV ; integer; 
rd sun ! SUPE 

eee E Ea 
ener Omer * Coolean, 


init TP" process ea 


E M A i A d 
Begir 
D . e s . e 
= c —— — T h T o il t if 
inat <= gotea is sentence is oblige 
U è 1 ! 4 I y y V y 3 r 1 V V y E , V y 1 8 1 al 1 5 
as Sea se de de Ble SiS IS BIS BS SHE DIS SHS SIS de dee HE ESBS NETS TiS S/S BHC IS BS EE EE AE E OEC CNRC Pu 


== ATTACH TERMINAL MODULE 


-- This mcduls attaches port X to this process in ord MEM 


GE 


use it in I/O operations, the device will have the sare 
clearance that tae process has 


RSS — elit. resounces.max class: 

attach terminals (read and write) 

A cite ri IO PORT, STDIO Ro); 

attach tew( IO PORT, STDIO W }3 

put 1n(STDIO *W,w class, USER CHILD `”); 
OIE” ICA USER FANDLER to indicate that it was 
Pc IT Continue his execution using the 
advance, end ewait operetor (advance User Handler 
MocmrGounmt io continue cand await to stop its process 
OSOS tre- control 

advence(init.initiel seg/1),success); 


read evc(init.initial seg(0),evc ch val,success); 
Ani initial sez(Z),eve ch val+1,success); 
EE D Ee e ae e gie ai e de eege sie sle zie zi 


£s ala ale ale ate ate ale ales 
eam FS FS rum AN aS IS ZX ei ayn Ve ës dés dun dx INIA IA IA IA A IA IIA AD du dt du du erh du FS FS FS uS DIS T 
b U 4 $ 


REE BIS DYE BIS BS IK BIS BIS ENE EEE ENTE ENE NENA NE SE SENS Die ate Ste ate le aig sie ate ote ste ote ste ste ste ale sie eat 
LOOF MODULE 

This module executes several operations until the 
operetcr enters the word tye that means work is done 


Mees tepSsecCorsidered are : 


Seene ( *) ) indicating thet i5 ready to 
ae epi sel IVE USER input messages 


b.- Get the user’s input messege 


c.- Load input message entered ty the user into 
segment date used to pass the informetion 


ISS Acne with main application program CCP 
waiting for the answer to the message sent 


e.- Display the result of the message after it was 
processed ty CCF 


END- LOOP 
eco := TRUE; 


end prog :- false; 


BS 


while act end pros c-r 


-- get input messages from the terminal 


gn ap 
o 


pndeesitime ;- b 


ve 


a an 


put str(STLIO W,w class, *) 
rd att := get_inputlecio wa 
Su 


ass); 
put STEP Y mue ees ) 3 


-7 put the curs Gia 
-=> The nent ding 


def seg := lit_mk_sel(ldt.table, init.initial. SOMA 
def off := 0; 
cn in.input One <— rosie 
ch in.inpul jesus — ; 
cn in.intut cr clon 
data def size :z (input messege SIZE/8); 
move tytes(get ss(), ch in'ADDRESS, def seg, def off, 
date def size); 
if ((rd str - bye Ma aces E 
end prog := rue 
else 


== begiz the synchronizaticn vrocess 


Sd Succes e 
2), mmceess ) 


* 
) 
* 
9 


advance(init.initial seg( 
edvance(init.imd tie] sezi 


read evc(init.initial seg(C;, eve ch vel, svcCHEERME 
ewait( init.initial seg(O), evc ch vel*1, success ); 
-- display tbe answer's message that was transmitted by CCP 


def seg := litb_mk_sel(1dt_tetle,init.initiel seg(3)); 

def off := Di 

dete def size := (input message SIZE/8&); 

move tytes(def_ seg, def cff,get ss(), ch in'ADDRESS, 
data def size); 

put lr( STDIO W$ w_ class, 3b in-input esu lt 


erd if; 


end LOOP; 


, 
ais mio nliz ale ate ale ate ale ale ate ale SES ale wl ais ale nia ats aie ale ais als sc abe ate ale ste ale ale ale ale als ate nto ale slo ale ale ale al< mip nle nis ate yip nipale sie s'e ale e ale se ales alsale 
— ae y» ep ey eu e^ ^ +," TS e Ld hd (^ A e> ^ "hd oye oye ^p e^ Zus (ds ¿e Zus Sun eye en e> ee eye Ss e> e> Ss ee Ss ee Ld hd er ye Ld hd eya eya Ld hd ey ey em eye - e Ma e> > e Ld hd e> 





Poe bote Sipit.initiel see( 1 j, success ); 
if success /= y then 


algae abe ale als ate ale ale ate ala nto s'e ale ate als 
Ld a La a> a "m e eye Zus eum 


i i i 4 i i 4 i ' 1 t . 1 1 ' i 1 i 
-'» ens 2 i» «ls» «7» ate ala ate e ZS md ale «ate wie ole wie @ ale bo aly ale la als i le i i J i 1 i i 1 y y 
> 2 r4 EA 2 Je 2 > D alas ate ale alealae ale oe ale ale ele aly ale als alo ae 
e Ké EN ZIN PIN 1 i 4 uy 1 hee I EN AENA SS (8 6089 VS ds d 5 ses yu as 


1 
- ^ 
e. Su e; Zus Zum Sum i qa ey» Suz e. eu an en ^ „a > r> oye ey 


CETACK THREMINAL MODULE 


This mcáule returns the device's control to the user 
hocmocbler 


Belge device( STDIO R, success); 
detach device( SIDIO WY, success ); 


ale ate ate als ats ale ale ale ale ale ate ale aleals als ale ale ales ale ais slo «lo» alo xte ~'e ale yle alis nlo alo ylis de als nis 92 ale s'e als n'a ale alo alg ale ale ale ate ale ale ale ale ale swle ale ale ale ale 
Zus SC gr es ?, Ce eu e pos wpe my IIA IIA IA A my PIN A > A> > ra Sun er Ld hd ds gun vq» ori. Ld hd vm ey eye 1" es vq ram ZU dm ea Ss ey kad up ey» ey. Ed hd us epa eye Pe us gr La e 


ala ale abeals ale ale ate ye ale ale sle ale KÉ als sie ale als ale ale s'¢ ale sie ale als ale als ale ale ale sl sie ado a'e ale ale swle ale ale yz slo «lo alo» als ale abe y. ado le la alo alo xte wia ale qe alo 
oye e» v, vq" > ey wy 4. > ea Zus ds ds és geb Sun sg Zus 9549 ey wm PM. e. ¡e a 6 (X um Ld hu lad dy Sur Ss Sr v eye Ld hd ve^ "s e, ses Zus ^, eya es ds us gi N IX êN PN CIN 4M 2 „5 


SELF DELETE MODULE 


This module terminates the child process (ACTIVE USER) 
acd advances the eventcount of the segment indicated. 
In this case it is tre segment used to synckronize with 
nis perent {user handler) 


attach tew(IC PORT, STDIO * ); 
pause sveccessor is Success, w class); 


PND if; 


HUE prehli; 


So) 


APPENDIX D - PRBDOS APPLICATION PRO Gi T 


This appendix presents the application program used to 
simulate the behavior of the BDOS operating system. Because of time constraints 
this program only has code that shows the process that should be performed when 
BDOS in invoked, simulating the result in order to pass it to the CCP process. 


This program is called PRBDOS, and its listing is next. 
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een nenes EER oif) pregre detug(off? 

pragma arithcrheck(off);pragra €numtat( off); 
` Aca. elec), strlit, files, util: 
I UN T 

EMEN -NCEPENMSTUSU cca). striit, files, vtilt: 


= 
> ha 


de 


cau 

à 0) 3 
PN CO 
> 
qoo 

(U FT 


UI 


he ale ale ale abe ale ade als ste abe ale aly ale ate ale ale slo ale Je Ye ~t Lo abe ais aly le vle de va ale «la xl «le le a ole ale ale slo ye Se xt =< ze Ee zi e 
I i E v 


< sle la lae ale w e de de sales lo Jo al 
-— — SI KEE EE cet X “te AS FE os ds EST FE IA IA IA IGN IA ETA IO IIA IIA IA III éis dés ds gin era r 


NEE sPimuMatesctHe tenavior of the 5705 
Æ Work, in orċĉer to handle disk files 


abe ale abe aly ala ale ale ate slo sla alo als ale s 
y» kd NW kd ey + eya Sun "^ eya Zus Ss ey Py 


I 
(X IN IN CN Zœ ZW G IX PIR ZX ZX Z LS gin es ds ds ép ê ya 


este ale slo o slo nis slo de le lae «le le sle sls le l< ale ale Se ale sie alo als slo «lo np «ls s'¢ ale ye ale sie ale ale ale sie ale sle aioe ale wie 
(Ge IX ZIN ZK ZN ZIN ZW Z Z NI OAS AIS és eis és és dx du ZIN IN dt ITA. 


SACO Vs TL e 


Selo NW EE EE 
ELLIO a : CONSTANT integer := D 
mo TORT PUE ANTATT :- 9: 


meen LN 

EC lass : access class»; 

Eecess : intessr; 

meee cer size : integer; 

ger cff integer: 

met seg intere 

acC ch val integer; 
Encomm : comard line; 

ema prog : tcolean; 

Serle dete Pe leia 
SS e e d : segment hedden, 
= eg data : segment data; 
Meee rl process def; 


se p Sg 


~ a a! mi ~ A + ww ~ ~l ~ ~ ~ ~ ~ ~ 9 e a ato ate ata alo ato alo ale e 
EH SES E EE SS Eh e AUR de de ae de de de de de ste de de ale ok ste aig ote ste ate de ole ate ate ste ote otc E sie ole 
= E 
e . 
SC attach terminal as write device 


w Class := init.resources.max class; 
= attach tew( TO-PORT, STDIO W); 


mbe em 
Í m= 
A ala an ala a a! LPS postes eme d Pee 4] ta ale ale ale alo ale ale ale ale ats als alo alecio ale ale lento ado de ondo alo alo de a ' 
N'e w'e xe le xie steals aie wie ale ale als ate ala wie ale ale ale ala aia nie » E E NS e ale wie ale e xulo mr ves me nde ale ale ale ate ales als ate 
DIGO IO IIA AA IA IA IA IA IA IA OL 
ae ANAS ase véi éi du IO IA d y 2:24 ^ 2.5 éZ ZG éX é ZX Z i 1 aA AAA A a AS ARAS A eX ZX ZIN IX ISI LS Neo ê v st 


E Mu coc dlrectory 


-- put I1n(STPIO W, w class, RDPOS 2 


en 


SiN A A 
== Synchronization with CCP to tell trat it vas crea 
== without tron 


== tegin the synchronization process 
advance(init.initiel seg(2), success ); 
read evc(init.initial seg(2),ewc ch val,suctescmE 
await( init.initiel seg{%),eve ch val+i,success ); 


== PROGRAM WAITS UNTIL TEE CONTROL IS PASSED FROM COP 


edo wo we ale ale alas ale 1 wa lo ate ale ale «! +c A ls he P Le als al a a ES E 
os SR AS BE AS AS BS EBS TIS ONE SIS AE AS BS AS AS AC NS AAAS A IE AE IS OS SE AS BS AE BR STS E RENA IE BIS TK SIS OK AR IK 2S 
a 
^9 ð — y. l . 
ena proz += Sia lee, 
ale le ale al Le de sl whe ale ale ls abe ate ale ' U to af 1 ~ V D als ua als alas. 
ur BES DS BIE BIS ACTS YS SHS AR AS AE YE A AS BS AS OE SYS A AAA A NA AS de 
--—— a 
E 1 S tt tt 
-— intil c0 PM IS b 
Beszin loop Watt sends ye 
ao aro 


while not erd prog LOOr 
a zet command line passed ty CCP 


Aef JSE 
gef ot : 
data def si 
move tytes( 


lib mk sel(ldt table,init.initial SOPA 
- £j 


rr? 
< ə 


:= (coma Je aS 
.seg,def off,get ss(),ch comm' ADDRESS, 
a def size); 


(0 "D (D 
+ ro 


-— put ln(STPIO V,w class, ch comm.command); 


tt 


if (ch comm.command Ze bye ^) then 


IF ch comm.command = "create  " TEEN 
ch comm.result :- file created ; 


SES create file(); 
FISIF ch_comm.command = delete ` then 
ch comm.result := file Geleweda | 
SS delete file(); 
FLSIF ch comm.command - "rename ` then 


ch comm.result :- “file renamed ; 


eg 





wm rename file(); 


er E ` ` 
COSO Teil Tess. processed ; 
Gendt: DES 


== IM Team t tO Dass Pee tO ene parent process 


def seg :- lib mk sei(ldt tatle,init.initial seg(3)); 

def off res D: 

data def size >= (comand lire SIZE/&); 

move bytes(get ss(),ch comm'ADDRESS,def sez,def off, 
data def size); 


whe ale ale als ats ale ata sla ale ale ate ale ate ale ale ats ale als > ate «lo «lo «la sip ale als ats ais sie ale ais ale s'e els alo «le ye elo alo ndo als ie lée xie xte wia la KA 
M anm eS AS ASIA SS AS AS IUS EIS IS ES us ZU IIA IA IA IIS RIO IA IO IA AA IIA IS IA IIA II AO AS equ 6S rS FS IS AS rS AS FS 


a! ^ «l^ «ls sls ais a! 
919 IQ UI ¡e ^" 


e ale 
^9 es 


Ec nmchr09)28 process witn OCF in order to rass the 
= result 


edvance(init.initial segí2), success ); 


noe ve I1nibwinatiel sea(0), eve ch val, success }; 
await(init.initial_sez(@), evc_ch_val+i, success ); 


else 
end prog := true; 
erc IF; 


erd LOOP; 


ale als ale nte 3% als ale sie ale ate sra CW la ia le «la la «la lae la xa wia ais ates ale ais ale ale sie gle we sls stents sls ate ala nts ate ale stants le ale ale sie ale ula qa sip els nio wie wie we 
-e am Zus a> * ex y Vë du " Zus du du uS au * Ss Zus rs Us Us din Ss én Vë és ës ds us dun im ^0 Ss oy" ye ds e. Zus eu e Ld hd Ss dx d us us dun e ER e. AS PA AAA eœ Z 


E TAa Ool the prcoeram ard self deletion process 


EE SET, BR, success); 
-- detach device, STDIO W, success ); 


Ba MN csnj)teum)tial sese( 2 ). success ); 
if success /= 0 them 

attach tew(IO PORT, STDIO wi? 

SUIS UDS SOS ,success,. class); 
RND f, 


END apr tados: 


eg 


APPENDIX E - COMMON PRi@igii eae ee tela lay 


This appendix contains the procedures and functions used to 
provide information when the system primitives are used. These were obtained 
from the demonstration program provided by Gemini Computers Inc., and 
modified to reflect a generic use by the application programs developed in this 
research. The programs are "PROCE.LIB" (contains the specifications) and 


"PROCE.PKG" (contains the code developed). 
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Mie asa ch), eri, elie, @litj, strlib, util, files; 
PACKAGE BODY prece IS 
Ip T coveccectej, eri, alit; alib), strlit, util, files; 


e tantes fcr device slots. 


AICA CONSTANT integer :- 1: 

STDIO R : CONSTANT integer :- £j 

EN UU EE Integer := €; DDT L ¢ for main 

a Constants for segments. 

SIZE MENTOR ION ees size mertor 


E Snr, Segrt 


alo nulo abe ale ale a) Le ale whe $ ale als ale ale als We ule ale 


^ J^. ate We we ale abe 
— me eps tam rS tS Ig IS nS IS HS AS A ous ds es dra Va ee AI 


FE AS AS HE FS 2S HE BE DE BE AS SIC BIE YS TIS BIS NYS SE BIE NE DIE Ble BIg ie ale ots ote ste oie aeoe oie ole 
-- FROCEDURE CR SEGMENT 

-- this procedure completes the parereters neeied ty the 
@emmecrimltive Creete segment. The record structure is 
BemmacescricC6d in the file agate,11b rreviaed ty Semiri 

E corputers Inc. 


==> the parameters received by this procedure are 


=- iait Zoae ess definition 

EC mentor ==> indicetes the segment numter thet 

=- will ce parent of this new segrert 

= IA —-=? “ie icateseyrich entry numter of the 
== mentor is used to create tris segrent 
-- class --> indicates the security level of the 
ES segment to be created 

EC Success zo 2muputOaverietle that indicates the 

im PESO ene Operation efter call 

== the primitive 


== This troceduce is used te create the mentor ard 
== synchrcnization segments 


Paves DURE cr seerent( init : in rl_process def; 
mentor : in integer: 
EIC > in integer; 
class 


Im dee@ess Class 
Success : out integer ) 1 


(D we 


eee e Slr a reaL E Sez struct; 
w_class : access_class;i 


REGIN 
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w class := init .resoqunc¢es niet 
cr .seg str.rentor == Terie, 

cr Seg str.enptryx* jocum as 

cr seg str.limit :- SIZE MERNTOE: 

Cr s@@ str.class «= Claes 


create segmentí cr_seg_str, success ); 
if ( successamwBlv ) 
put 1n( STDIO W, w class, @17 means segment already 
exits. Js 


END if; 

2 PE 

END i 

i ra 
Ge CT beleen 
Lo 
1 A t t t b t , $ t $ Le al 1 A A t t $ t 1 8 t e i 1 t 

—— SENS DSI E NE A REE E NE BIS TITS E EA HS ML E B TIS TIS AES AS AS A AAA IRAN A A e 


ale ste sz $34 ale ats s's ate ate ale wie s'e wis ats $e ale ate abe ate ale alante nla nia wis alg n'a slo ats nig anla alo ateate ale ate ala nts ste ale ate ate nthe ate ale ale ye ata ale ate ale ate wate ala ale ale 
^^ e, t ye . e Gd kd? > Ld hd > e> e e A> ya eu ^19 ^" ey SS Zus ey. ^19 Sun dl Sum Ss en Zus a> a> Ld bd Zu e ^9 r> v^ 2> e a> eye ^9 ds ^19 . a Ld hd (S ey» ^ Ss T1 > . 


-- PROCEDURE DI_SEGMENT 


-- This procedure completes (the src ES EE ty tne 
== primitive delete segment. The record structure is 

-- descrited in the file “agete.lit provided ty Cerini 
-< omp t ete NUN 


-- The paremeters received»ty tiis procedure ere : 

E UB" ==> initial precessmauer: 09 

-— renter ==> indicates the segment numter tnat 
-- will te parent of this new segmena 
-- En tery x ==> indicates which-entry numter Ci aa 
-- mentcr is used to create this SES 
-— cless --> indicates tne security level IM 
== segment to be created 

es success ==> output variable that indicates the 
+= result of the operation after em 
EES the wramTtiue 


PROCEDURE dl seement (“imit Q0 NM NISI 
ment One > fe ave sos 
seg number EE 
success : out integer ) IS 
mentor, entry x "m em 
w_ class : access Eonia 


BEGIN 
Ww class 
[EOS 
entryx : 
MESE ES 
ENE dieses t 


= init.rescurces.min Ts lc 
rentorx; 

- seg numter: 

egmert( mentor, entryx, success Jr 

st; 


zm 





le ales ale ale ale ate 


alo ale ale aly ale ate alo te whe ale ale ale aly we aly ato alo ate ale ae ale ate ate ale ale ale ale ale ale ale ale ale a ale We e ate 
ne eya eya SÉ A eu AS AS - e. n ^ eu eye noes” > A A: - x x op A A: 


ale aly at at alo als jn ee 
eya eye as p equ ea Ld nd y e. ka T ea * x SI epa AS y= eye A ^" eya e. ou ka As eu ey e a „> 


Xe S) le alo ale e 3 ale e! ale ale ale ete ee ale siz als ale sie yz ale sie ale ale abe ale ale als ale ale slo «lo «io so ale ale ale sie e sie ale ale ale 
` ` ` ` 
A nA Z K S EN Sé Su Së A eX = au E es >. >< esie Sé >< ix gu SIUS AS ei (X W EIX ZN IX IX ZIS CIN ZIN XZ IIA IIA IA SÉ i2 > 2 i A œ ZN IX ZIN 


SE D R MK SEGMENT 


This procedure completes the parameters needed ty the 
PA eno, se amen. ihe record structure is 

descrited in the file agate.lit provided ty Gemini 

Computers Inc. 


The parameters recelved ty tnis procedure are : 


-- mmt “7? Aa process definition 
E mentor ==> indicates the segrent number tnet 
== will te perert of this new segment 
-- entryx --> indicates which entry numter of tre 
E mentor is used to creete tnis sezment 
E nur ter Ro ug es acia un ber that the sesrert 
-- Will@aave in the LDT 
== mode Sc ce kinc of sezrent thet 
-= PTR r w, T e, Etc.) 
P success ia ole that indicates the 
E result of the operation after cell 
E tae primitive 
-- This procecvce is used to makekrown the mentor and 
EC synchronization segments 
EOUHMUHP mk seement ( 12nit : in rl _ process def; 
Mentor e- ian intecer;, 
EA ; ln intege 
uumber cNn-interzerm; 
mode IS SS e; 
SeCcecc out intezsp ) I5 
moe RMC L 
seg ret rec : mk kn return; 
Ds oes : aC@ess Class, 
FEGIN 
w class :- init.resources.min class; 
seg rec.mentor :- mentor; 
SOIN EEG = Entri 
SNL CSEPHENMUbeT := number; 
see Ee mode; 
SS geen, bel 1); --ring 1 protection 
SS Cece eer  :— NULL INDEX, 2:00 4 06 


93 


seg rec.gete prot :- tyte( 2 ); 
makekncwn segment ( seg rec, seg ret rec, success Ji 
ENZ mk segment; 


yess ales abe ate ate che ale ale a < da aly Je x: als ale ste ale e als ss ewe a a nis alp nio ale ale a whe we ale n Le de aly ale ale Je ale 
— na Sas S 2 38 AS sqm v de WM GECKEGE Pte (* 63 MADE al KEEN 25 2,5 AS OK 2 SSIS TK AS AS HS AS AR OS IS OK OK OR AS ey n M SK 26 AS OS OK Ze 


2 ls alo als es te ale ale ale ale 


ts ata ale ale ale ale de ale ale gla gle gle ate vie xl ale gts ale ale ale aie ate gle ale ale alo a! < la aile sie sie iz la sl e ale a! als 
e = AS oe o> v^ 2 A. sun -- r> 3. AS 2.5 ne Ar Zus X AS e AS Ld hu AS ep 25 SS AS Ss Za 9. Ld hd 3,8 a > NES e “> > Ke SS + CS Ld did 23,6 > is AS Së ZG Ss ss ~ aper y 2 a eye ee 


-- PROCEDURE MAKF KNOWN SYNC 


== This procedure effects several actions related to the 
== creaticn of speciel segments to synchronize tne main 

-- application program with the active user. Since tae 

== sEgrents were created by the active user tuis procedure 
== will only mekeknown those in its own LIT tetle, enc 

-— syapin these eet 


-- The patameters received ty tris procedure oE 


== init ==> initial process daf imi ton 

Tum ch vera ==> indicates Une pebsmelensqucls Me 

E create the user handler greece 

== age mass =--> Pima Se tes” e access cless of the 
SS segnen t to te emat cd 

=- EE EE --> indicates velleh EE 

ET trying to cgsmunlieete witi 

m ch user syzc--? is am output record suben 
-= the segment nurters assigned Lo Mas 
um synchronization segments 

a= Success --> output variatle that inéicetes) tae 
A result of the operation after calm 
m the jrimitive 


A ES proceduce is used to makeknown tbe synchrGoii Za 
-- segments (main application - active user) | 


FROCFDUR RE make know synak init in ri process def 
- 7 chapara : in TE 
ch class : in a@ecess classe 
ch ective : in integer; 
ch user sync : out users act ties 
success : cut int rer mE 


mentor : integer; 

EMM ec 

seg mode : SES ARCE du 
see. number : Inle Em; 
class > @CGESS _ Chass) 


BEGIN 


CO 
i 





meke known rcot segment (code segment of each child) 


Power 9) —— 
Cur kee = 
ASI pardesymehr chlc mentor: 
seg mode :- r w; 
Geos 1nrt.resources.min cless: 
rk segmentiinit,mentcor,entryx,seg number, 

` seg mode,success); 


EE EE EE E 
) 


if success m ð then 
put _succ( success value £26 is ",success,ch class); 
put n(o PBI Wech class,  ); 

end if; 


make Krown stack segment 


mentor := ch_para.synchr_chld_mentor; 
ees :- 14 
Ser :- Chi para.synchr_cald. stack; 
Seer mele := r w; 
mk Meer en init,mentor,entryx,seg numter, 
Hcc mae. success) 

Jt XCHNSICE SS /- Z then 

A EE is ,success,ch class): 

But @an(STDIO Wyweh class, ) 
end E 


meke known dete segment 


mentor := 
en Un: = 
Seg number rech pere.synchr_chld deta; 
seg mode := r wj 
ma segment{imitpmentormentryx,see number, 

Ser eode SUCCESS) 


Chmparawencnr calle mentor; 
Zi 


< è 


11 Se ss /="4 then 
put_succ( success value 222 is ",success,ch cla 
PUTAS IDO N cb cless, ); 

end if; 


~~. BPP 
"6 


p 
un 


ch uger syaclceh active).sez date :- 
ampara asin car ac nl cata; 
ob sem semnc( chmactinveds. seg stack := 
pu IcehEehnld stacki; 


Sap Seememi(eh wser sync(ch active).seg data, 
success); 
reed event counts of eech segrent 
read evc(ch user syncích .active).seg. data, 
ch user sync(ch active'.evc data,success); 


e 


terminate segment{44,success); 

if success c ML MEI 
put succ '( success value £109is  ,sUCOOSENChWONGHSCEE 
put Tn is TIAS pyn pem ) 

erc ieee 


END make xnow sync: 


e ale sie ale ale ate ale ate als ate als ale ale sie ale Jo Ye ste ste ale ate See ale ee slo ale Jo ate ale ate abe ate ale ale ale ale o wle wie 
Ce gra és er A (XZ us es er AS Oph OF AS AS HUS et > = Ae AS E x ye sn EM aus sn cœ Z ZW ZX ZX ZN Z SX AN Z ex 


xie ule ate aly y. alo alo ses «ales > wie sie sie sie ale ale sie sie wie sie sie sie sie sie sie ate sie sie sie sie ale wie wie wie sie ae alo sla «3» wie als aie alscta aly sie sie ig ule ale ale ale ale ato 
` kb, 
— € Pye Og ra Sys FAs Oye IX eX ZX M S ra PS Oye OLS OAS ZW EW aS IU IA IA AA IIA IMA AI ruv ram Oe OAM OITA BD W ZN EN IX ZN au 2 Vë > L ZN eX ZX êN ZX ZW IX IX ZN 


-- FROCEDURX TIE E oie 


-- This procedure terminates the sesrents maxexnown 
== ¡previously with the otject o sywehbroalze 10e ATACA 
== tion tetween an active user and the mein -apol. preszran 


oe 


== Tke parameters received ry this procedure are 


e init --> intithel processmaet inition 

= chup ra --> indicates tHemperdh NeT: Oen 
-- 8 create the user handler process 

== ch class --> indicetes themaeeese chess of 25H 
-- " segment to te created 

x success ==> output variable that indicetes (M8 
er result of the operation STEE 
= thewpr imi t ime 


== This proceduce is used to delete the synchronization 
-— segrents created before (main - ective user) 


FRCCEDURE terminete synchr_seg\ inf: if Tipo ces si 
ch Lara: in Pornos 
ch class : 15 TOTES SS 
SUCCESS : but intel 


== terminates the segments created 10 Simona MA 

-- epplication progrem with tne process NEN EON S 

== child process leaving availatle the segment numbes qm 
== mire JE 


BEGIN 
terminate segment(ch_para.synchr_chld_ data, success ,5 


terminate segment(ch_ pere.synchr_chld_stack, success };3 


END terminate syacnt i- cri 








ale ale ale ale ate ale als sie ale sis ale ale ale sales ale ala als sla als ale gla le ale ata ale ale ale ale ala ale ale ale ale sie a e ale als sie ale sle sle ale sie ale ale aile «le 


ale sz ale ale si alo ale «ls 5 2 2 ale x ` ` exe 
S ZW ZN ZN Z IAS IAS A RIA IA NA (NX Zx ex éX Zœ ZX eœ 6% 2% INIA IA IA IA IN Ir rr y e Qoam AUS nS IUIS AS AS FINES IN AS B Ies, KEIKESE IKEA ZIN Z 15 


ale ale ste ale alas 


ale a ale ale wi e Jo les a te ale sig ale rte sis ale ale si, D als ele ale we aie abe ale aly abe als abs abe 
FAS AS AB AS AS AR OR AS d 52 < £3696 25 


az ls ale sis sle ala sis le qiu la le de «lc 
dy eya “y an Së <> n = SÉ IS PUNA P > $49 AX aS WW ZIN PIN 6S H4 a AX AR Tq nS Zen IX Zur Oy? cns 


st 
> 
? 
ER 
? 
3 
é 
` 
^? 
> 
2 
? 
> 
2 
st 
3t 
KA 
"ox 


PROCEDURE FILL INIT 


De eE fills the process definitior reccrd with 
Mio ies in the initial process definition plus 
Mae eS t the rerent will pess to his child and 
MitemaeGeess Class ot this specefic rrocess 


EDS meters reeeived ty this procedure are : 


SE SEENEN eelere Cefiniticn 

GNO DNE SAS > defilnitior 

HMM Aca tes the resources passed ty its 
perent 

SUCCESS ==> output veriatle thet indicates the 
resuit of tre operatica after call 


tne primitive 


A E Wes fill imit( init : in ri process. def; 


ON, Ti process def; 
mre olmrcer sin child resource; 
Mes level record. LS 


AE iaa Doc ess record of e child 
Pess Cellad ty cert proc tst. 


EN 
EE, in1t.cpus 
SO Ne pur := init.nurm cru; 
cias: += init.aum K STL 7 
A access ¿= init.root_ access; 
AS => 
ce albices. priority -= 

IE nesuDncecopuNPliysM--same as parent. 
t24 frm integer( ch resource.memory, 

ch init.resources.memory ); 

ch jnit.rescurces.processes :- ch resource.pyrocesses 
CNELUN Ies cupcessseesemnts := ch resource. Segments; 


GES dE i ped with the specific access class 
of each process 


Eeler: Gees o class 
EE DEE Ge Ere, .max class 


EE min 
ch init.ring num :- byte! 1) 


ch_access.max 


ch_init.spe := Us 
A 


à te wi 1 à 1 ' : ‘ à 1 1 U ‘ 1 i 1 * i , à 

wie gie 9 '9wW'» wig t» Ww" Ie MÉI ie e. 7 «no o Ié w'e S" - 52-9 aa o A TP NT w AT "e xe "e wv, o «e es ale «ls «nde ndo «ono ne le «la w'a D 4 i * 1 i a 
or "e Ie wae m'e xe w'e we 

Ld nd Zum Ss eu LA N ey? a> r> en e dh Ld hd Suz eM Ss dh Ss Sr -\> Ss Ld hd Ld hd Ld hd 1 sS Ld hd T Zus Zus 2,6 veu bh Zus "s kb 2> Zus ve Ld hd Sr kad Zus Su kWh - 9 eu en Su -> dh DM > dun Su > > 


1 1 A à ` ' 4 1 1 1 1 ' 1 1 1 1 ' 1 1 1 ' U i 1 1 1 1 à ' à 1 1 U A ' ' à à 1 à 
ale ale «qo eiu ate ale ata ale alo ala aia ale ate alae alo aia ale ala ale ala alate ale nes ale ate alas e ale ate alas xie «lo nio eo lse xie xte ata ale als aia ala ats we abs ale ale le «is ale ate al je wi LÉI 
IN IN IX ZW ZIN dés dr ds US es s SIS ds dés dés dE és dés ZS dé ntc SIS dun gun dës A Ld hd A Pur Myr Myr QT rut tS ovS FS fc. $^ ZS dur US us dés és dis ds dun du duh du ayy ei" oie SE 


PROCEDURE CR PROCESS 


This Lrocedure performs ell the operetions necesse MT 
create e child process, this Operas DENM 
makekncwn the code segment cf tne child, creation of 
Stack end ¿ete segments, fill the addess space 
specificatlcn end prvcess ODE MEUS 


The parameters received ty tris prcecedure are : 


init ==> initiel process CS ini man 

eh pak == parameters omen ea 292 eee 
(segment nurbers,entry numtce rs EE 

process ==> indicetes the process numter 159 
created (example active user 1 ; 

ch resource --> inda oates the resources Ee ke 
child wall Mame 

synchr seg --> indicates the segment tnat 15 POER 

i to synchronize this aew process with 


its perent 

SUCCESS ==> output veriatie that indicates fae 
result of the operation after Gam 
the primitive 


PROCEDURE cr _processl init Ar rior NC M 


comes : in Tl _perametense 
ch access : Xn Jere recono 
proces .: in integer; 

ch resource 2 in -chilc res cas 
synchr seg : 11 integer: 

success : out integer ) IS 


chld seg : r1 seg structi-- rl addr array tor Clim SENE 
ch initi: iri Tr M NEM -— rl process def for COM 
seg rec : create seg struct; -- use@a to create ctae ke LL 


segl mkn : mx_kn struct; -- used to make «nhnown stack SEMA 
segl ret > Pioneer 

crt rec : Tiere Ua ce == create process stric mEes 

ch séeUlist™ = sefearea = 





ch_inpt_mess : input messege: 


data def size: integer; 
end chla. : toolean; 


w class mee Ce Some ass; 
Sve Value : Inteser:; 
EE Integer: 
dee mgri tytes : iwteger; 
MENOR: Inverer; 
B 3nteesr; 

uuu csse : integer; 
dummy : integer; 


Ecomstants forodetermining stacx size 


ril steck size : CONSTANT integer := 1E#AFF8#; 
[met Size > CONSIANT integer := 4; 


BEGIN 
DEM ch eccess.mins 
EC orem ore e ear ertor Coce; =- appl. root 


segi mkn.entryx :- ch per.eniry code; 
eel Mko.se2 number >= ch par.seg »umter coGe: 
Sool Xie see Mode = r E; 
segi_ mxn.prot level := tyte, 1 } 
SA a te number := NULL WD 
makeknown segment( segli mxn, seg 
if success / NE EE 
put succ( success value is ",success,w class)! 
ENNEIn(SPUTO Wow clases 5 
END IF; 


e 
d 
aX: NIS zatre 
7 Me 
) 


1 ret, success 


-- ES A he 


UNT C seges númter = Ch perseg number stack 
Gina Ses ee mode := DW: 

Chld sé€g.swapin := TRUE; 

Cr laS con protect #= bytel 1 }3 

coreo cdo Z ) <= chld seg; 


-- address spec for child’s code 
EE EE numbemecodle; 
chid seg.seg mode :- r e: 

child seg.swapin :- TRUFT; 

Cala segaproteict :=-weyte( 1 

Eeer nm 1 ) := chld_ seg; 


It ~e 
<o 


-- address spec for chiid’s mentor 


chla_seg.seg numter := 
chld seg.seg moce TM 
child seg.swapun 00 
chlc sege.proteewe - D 
crt rec.ri addr arrayt 


SyTONTA Ses, 
= as 
e. 150% 
2) := child See, 
address spec fcr trep handler segment 


chile seg.seg number := 
chid seg.seg mode 
chld ses. sepia := IR 
chid seg.preteckt aie. 
crt rec.ri addr arrey( 


irit. initiel segí(4); 
T 
. , 
) := child see. 
address spec fer child's date 


chid seg.seg number :- ch par .sSeE mirer 


chld seg.ses mode :- rows 

chid seg.syaplin -= Tee 

chyd ses.prctect o: us NT 

crt mec.rl eddr array( 3 ) := ori RE 


fill the order in which the segments will te passed 


ch eee list 
ch_seg_list 


(2) ch par.seg _ nurter_steck; 
(1) 
ch seg list(2) 
(3) 
(4) 


ch a^ seg numter code; 
synch St AE EN 

ch per.seg numter data; 
;z init.initial sez(4); 


Ho Hg 


ch seg list 
Chasez PP SN 


Calculate required stack size. 


(in the future will celculete based on dete in) Ge 


file neader tut now just use constant.) 


seg rgr bytes :- ( stack heeder^ — ES 
(init numas Ml kst entry SIZF/& )) + 
( kst header ’SIZF /8 ) 
Stacks i276. OMM stack sizetvect -Size*seg. mgr tytes 
( rl process def “SIZE/8 ); 


create and make known child’s steck segment 


seg rec.mentor := ch par menu crs meer 
seg rec.entryx := ch par -e€atry stag, 

seg rec.limit := stack_ size - 1; 

seg rec.class := ch access amak; [eee cc 
create segmentí seg rec, success ); 

if success / O Bun 


put succí( success value de 1S ,SUCwIESs (wee ceca 
EE NIS. 
J 


put In(STLIO VW weelass, 


a 
1 
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. 
— 





END IF 
Segi e mentor :- ch péer.mrentor stack: 
SES ` —mkn.entryx :- ch rer.entry stack; 
segi mkn.seg number :- ch par.seg nunber stack; 
segl mkn.seg mode := Ws 
segl mkn.prot_level := byte( 1 ); 
segi mkn.gete number :- NULL INDEX; 
segi mkn.gate prot := byte( O ); 
makekncwn segrent( segli mkan, segl_ ret, success ); 
if success /= @ then Ñ 
put succí success value a is ^" ,success,w class 
, 


M E HI 


any 


: put ln(STDIO V,w class, } 
END IF; : 
Swapin segment( ch _par.seg numter stack, success ); 
if success /= € then 
put_succ( success value t 
o ODO y class, 
FEND IF; 


is "success, w_class); 
' 


à 
/ 


| 

: e 

| E create end mace known chilà s date segment 
l 

1 


Boo Tec mentor <= ch_par.mentor datas 
Sele TeC.Chtrys == Ch par.entry date; 
de rec lirit := input. message SIZF/®@; 
AE ass => Ch decess. Nd X; ——. "vex em 
create segment( seg rec, success ); 
de EE EE 
put succ( success value cc is ",success,w class); 
Die ollDiO Wow clase, ); 
END IF; 
See. Ween. mMentcr := ch par.mentor dete; 
foo eee enimyx :=ech pear.entry date; 
cen ee See TUMNCEr :- Eeer, SG EE number data; 
Seeltemka.see moce 3= r Wi 


| 
f 
l 





| apro level :- tytet 1 ): 

| segi mkn. E pu uer := NUDE. INDEN; 

segl mkn.gate prot a “ome 

| makekncwn prc | segi mkn, segi ret, success ); 


T Cf ¢ then 
put succ("success value c is ^", 
DIESE nS mNENSSW w class, Js 
FND IF; 
| swapin segment( ch par.seg rvumter date, success j; 
| if success /= @ then ` 
| put succí( success value d is ',success,w class): 
ECs DLO W,WROlasse. i 


Uuccess,w class; 


Ln 


*ND IF; 
EEG ceba las ri process def 


SENEC MC. chain chn resource, ch access ); 


tal 


determine segment $ offset of ri _precess def initial 
record 


def seg :- lit mkosel( Jot 
ch par.seg number stack ); 
def off := stack size - ( vect Size] se2zumerey, oom 


rl process def'SIZ7Z/8 ); 
move ch init into proper plece in child's stack segment 


rl def size :- ( ri process def'SIZE )/8; 
move bytes( get ss(), ch init edüresss dete 


sex deft agi 
ri det size 


| 


+ Y 


fill in remainder of create proc cr DUCI 


crt rec.ip := 128; -- skip command file heeder (62 nem 
Crt cTec..S0x == det c -- set crhrilds stacx pom 
crt rec.Sil :- stack size - (vect size * sez ngr bytes)i 
Crt nee. swe LOT -- no ring 2 stack 

crt rec -veo Se = Me, -— ri address array 21.0 MEM 
crt_rec.vec_ off mi EET e cree 

crt rec.child@ num -=S OOC en 


crt rec.priority := ch Init reson ee On ERA 
crt_rec.memory := ch init.resSour ccm M 
crt_rec.processes := Ch initirec ourc ee a ie 
crt mec.segmnts :- cn init pespur esn ERETTE 

ct rec™min_ class “= cn init “somrces mit cn 
crt _ rec.max_cless := ch_init.resourcec mTorr 


reed evert count so we Know when child has self Celetec 
read evc(syrchr seg,evc velue, success ); 


creete the process 
create process( crt rec, success ); 
if success /= @ THEN 
pu Le su ee | creete process success - , 
success, w_class ) 


"9 


END ifs 
GEN Proce sss 


proce; 





NN cU tel. arl, alib, slibj, strlib, util, files; 
FACKAGE proce IS 

ETE s ari, dligo, alitj, strlit, util, files; 
E. DEAS ALK AC BS AS IES TE EE TIS OK BK OS BK OS BIS NS DIRS OAK AS AS SK OPS OS IS SE OS OS OK FS Sk BS SRE HS OES OK SIS AS NS SIS OK OK AS IS AIS SIS OI K K 
peels PROGRSM IS PROCE.LIB 

== Contains the specifications needed ty PROCE.PKG program 
E A sic ste sic siete SIE SIS SIE 2.5 31d XEOROEONOOEOOE S2 OK SORS XOU NUN NC NCGIOXUOK 


FROCEDURE cr segment( init : in r1 rrocess def; 


mentor DA ee er) 
Eur tees eat atezer; 
EENS 


1 
success : cut integer ) 5 


EDO? 21 séegrent ( init : inm ri prcecess def: success : 
A 
PROCEDURE rx segment ( init : in ri_prccess def}; 
mentor : in integer: 
entrx ear: 
number : in integer; 
mode EE EES types: 
success : out integer ); 
ENSUUDUSE make know Sync{ init : in ri rrocess def; 
Ee EES te : 
EE Class; 
EE EIERE E 1 
CPGE rRe nc cow WUSers active; 
success "ote mbe-er),; 
PROCEDURE terminate synchr seg(init : in r1 process def; 
cb para : in rl parameters; 
SN l n access Class; 
success Toul imn erer); 
A DURE fill init( init : in ri process def; 
Cie lia: out TL process defi; 
CUT sion e O TES Cree: 
ch_ access : in level récord } | 
PROCEDURE cr prccess( irit : in r1 process def; 


ch para : 
GumecGeSs S 


Z 
L.J 


Lë 


Hor eoa rameters 
ENE Tec ora 


ENL prece; 


proces = Ir ir mEn, 

ck resource : in ©hnilda_ rec oONnSE; 
synchr_ seg : 10 Mess 

success : cut integer); 





EM eee en Or ROUTINES AND ADDITIONAL DATA STRUCTURE 


This appendix contains the procedures and functions used by 
the application programs related to execution of I/O operations. It also contains 


additional data structures necessary to run specific application programs 


" and is 


(parameters, record's description, constants. etc.). The program is "Files 
composed of two modules. "FILES.LIB" (contains the specifications of records, 


functions and procedures used) and "FILES.PKG" (contains the code developed 


for each procedure or function). 
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WITH agate, agatej, arl, alit, dla, pee. 
PACKAGE BCLY files IS 
USE agate, agatej, erl, elit, ede. SUITE 


STBIO e CONSTANT TOMES 
aT RL CTN IN 


1; 
d 


FROCEDURP t24 frm integsr( in vel : 11 Ae 
b24 val : out b24 tyre )IS 


a Routine to convert an integer into a 
/ 


=> R24 type variable ( G-bytes } 


REGIN 
b24 val Gye 
b24 al. tyr el 
b24 veal. tyteg 
END t2£ frr_intemer; 


tytel 2 )5 
hi( in Wal ) 
lo( in val ) 


è 
) 
e 
1 


PRCCEDURF put 1n ( ldev : in integer; 
y class sin racic 
str in strie ES 


-- put a string on device Icey Veneers ae 


out MA: "SUP 1); 
success : integer, 

wt Sio : wtr Scu SU DUCI 
size ssir e ir rreran 

CR : CONSTANT integer 
L¥ : CONSTANT integer 


135 
10; 


BEGIN 
OUT buf $us tm 
size str :- length( str ); 
cut tuf :2 out bu$j&" char to Str  charscrem 
out tuf :- out buf @ char to str oror e M 
wt sio.device :- ldev; 
wt sio.Gata off :- out buf ADDRESS + 1; 
wt sio.data seg :- get ss(): 
wt sSlo.count 5205128 DE 
wt sio.class :- w class: 
write sequential( wt sic, success ); 
END put ln: 


mM mm 
i= 
uj; 
_r € 
Kb 
m = 


PROCEDURE tlk scr ( ldev : in integer; 
w classo inp eeo 
Str 2.) eS tr oe eee 


18E 





a 


== Clank the screen end put 
p eT oie Os ltl On 


out ruf 
SUCCESS 


Si O E 
integer; 

wt sio SEO iS truc ts 
EN CEU Leser, 

ESC : CONSTANT inteecer 
E IO Sa NT integer 


Pin 
(On A 


Hou 


BEGIN 
out tuf := str: 


mee Str := length! str 55 
Sue bute Out buf & cher to str( character val ( 
:- cut tuf & char to str( character 'val( 


out buf 
MI sio. device := Les 


ER e in tre 


wt sio.data cff := cut_buf “ADDRESS + 1; 
uU slo.daba seg :- get se); 
ci osconmtos— size Str + 2; 


DIES o.cbess :—- y Class: 
write sequential( wt sio, 
END tik scri; 


PROCEDURE get str ( ldev : in 
alas 
St reu som 


== Aa rin from device 


ine cut Seine e2); 
success integer, 

noms l0 rd seg struct; 
ren ret ra_seq return» 


FLE Str $5 integer: 


BEGIN 


Success _) | 


integer: 
OUGeceeess Class, 
Wel ES 


ldev. 


Mis ote off <= In buf ADDRESS + 1; 


Ra Eege ldev; 


rd sio.dete seg :- get _ss(); 
read sequential( rd sio, rd ret, success ); 
BE UNES NEL. - craracter val( rd _ ret.count 


str := in buf, 
melass: rd ret.class; 
PND get str; 


PROCEDURE put str ( idev : in 
WC ass 


integer, 
PESO LaS Sy 


cro: ineemrine ) IS 


LQ? 


= put a strin* on device idee, 


OUTT EME : SMS 
SUCCESS : integer; 

wt $510 : wt Seq SsStmueie 
size str : ImUGSER 


BEGIN 

out buf :2 str: 

side str lena 

A AE EE 

wt sio.data off :- o li + 1; 

wt sio.data sae EINE 

We 510; count := size E 

wt sio.class :- w class: 

write sequential( wt sio, success ); 
END put str; 


PROCEDURE put _dec( ldev : in integer; 
We Geese : IM aCCeGsuc 
el 


e e551 
dval > imsime leger 


1 
S 
-- put the string equivalent of a integer on tee TON 
-= PISANI 


Out. bat : strigne SITE 


FEGIN 
out ctuf = [otto Strela 
put_str( ldev, w_class, cut_tuf ); 
END cee. 


PROCEDURE tut _suce! IIT UN 
dec val : inan un 
w Cless : ir access cless ) IS 


mdr print a string ard an integer on device atico r 
=e slot STDIC_W (should te a serial terminal). 


BEGIN 
put str! STDIO W w class IO e 
put dec( STPIO vw, w_class, dec val ); 
put ln( STDIO Me w oles mee 

END put succ; 


N 
d 
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Moe TON et inputt eco : in bocleen; 
class n access class ; RETURN string IS 


== Gets en input string from the terminal end echoes the 
EN 1 555echo-optroB is-on. It alsco converts all the 
cee input to lower case 


-- constents 
ERMLDO RO: CONSTANT integer 
omer We: CONSTANT integer 


it H 
C 


Sos tr : string: 

ind : integer; 

values : integer: 

pela westring(1); 

EN aes —: access _class,end_irput : coclean; 


TEGIN 


Ware basis 
end input 
mre 
nd str-t- 
while not EE in pet. LOS 

get str(STDIO R, w eb iurc 

Eege Ch(1) im 'A'..'Z2' then 

jmwech(f) := 
cherecter'/valí(charecter'pos(inp ch(1 


Eos cies S 
false; 
di 


su UH 


EE 
EN 
iim cwarmecter pos(inp ch(1)}) = 12 ) then 
end input Ze true; 
EE 
EE En 
Buber ST DIO WM, rdlcless, inp ch ): 
END IF; 
A insertlí inp_ en, rd str, ind ); 
Ma ina + 1; 
end if; 
end LOQF ; 
RETURN rd str; 


ENU get input; 


PROCEDURE attach tew( OLOR A Le ser, 
LDFVY : in integer) IS 


e attach.serial port for writing. 
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moče |: atte casi 
w*class + @@C@ee NEN 
success : Inteaera 


BEGIN 


mode. dey rorem STONE 
mode.siow rec.dev num :- io 
mode: SlOyerec. ce tyre au. 
moce.sicwerec.dev id {= DEM 
mode.siow_rec.mr1l := bytel 1542434 ) 
mode.siow rec.mre := bytet 16#O3E# ) 
mod@.sicy réC.10 Bode ESL ori 


attach device( mode, success ); 


O 
1 
E 


aa e 


9 9€ 


END attach tew; 
PROCEDURE attach.ter( IOXPORT : incipe 
LDEV : ip 1m EES 


E attach serial tort for reading. 


MORAS ; attach svruver., 
w class, =: acces C MEE 
success + integers 


PEGIN 


mode r cev nare -TAn 
mode r.siori rec. devani i 
mode rr eSior Tec eve 
Moceir.sicromec ae veces. 
mode" EE ee 
mode r.sior rec.mr2 :- tb 
mode- r.sior rec nomi O E 
mode r.sior roc dae D R 
mode resiori rec qom E E 
mode r.sior rec.maximum : 
== en y are 
attach device’ mode r, succ 


Br EO 
e 
71 
ct 


ry ee kä kä sa Ol 
Tt db 


(D "xj £o WN 


aN ct ON PD 


AO cac 


Ln 


U et OO sn eer? 
e 

pa rss H it 

Cd bef 


“< 
ct 
~~! 
+ o 


e character at a tire. 


~ 
< 
D W KA I! mMM arnan LU? 


Ln L e 
N Ln 
~r O 
we TY 


END attach ter; 


PROCEDURE load paramiinit : in ri process def; 
ch para : out ri poriniai 


-— Produces ea tetle of peremeters with informetion needed 


Bee 





-- ty the mair applicatien pregram (segment number, entry, 


== mentor). 


INITIAL CONSTANT integer <= J1; 
NXYT NUMBER FRIE CONSERT integer 
CA SYNCHR MENTOR CONSTANT integer 


index integer: 
next segment IIO eT 
data number integer: 


ch raram 
Wer revel 
en child 


DD d TIE ers 
leen MENSIS Td 
integer; 


REGIN 
Rest Segment :- 
S Me T 
Sacar cala 


INITIAL; 
NEXT NUMBER FREE; 
CE SYNCER MPNTOR 


Hott 


+ 1 


40; 
a4; 


uH H 


== next se€ement availabi 


EN c= 1; 
ebilesirgex < & LOOP 
un patam.entry stack = 
Ch perem.mentor stack *= INITIAL, 
memt seement :- next segmert + 1; 
Cmppe re. see numter stack .:= 
at segment := next segmert + 1: 
Sais SE number se Ode 
Cin pegemecmiry code += Index e196. 
Cimearan ere ntor codems: = 
ch param.entry data :- 
Gm perem.mentor cate := 
coman? number data := 
data numter -= data_numter + 1; 
it Dex 4 then 
Si pSTepmesumchr cnld mentor 
Spe ram .syaecr chid stsek 
OT Chid <= synchrichic = 
Cmmecaemesynenr Cchld data 
Senor eecera :- synchr child = 
ease 
Caos yncnr culd mentor 
ch_peram.synchr_ child stack 
EE EE, date 


index; 


index + 4; 
EO teas 


kA H mœ u tt 


END IF; 
ch para(irdex) := ch param; 
dex. = index nl. 

END LOOP; 


END load param; 


St 


7 


next segment; 
-= (Sxl Sezer t, 


init rri] pesch A 


Cice numer; 


CR SYNCEH MENTOR: 
synchr chld; 


Syo arec hlad; 


= 


PROCEDURE load access class(init : in rl _ process def; 
usr.access :; our usErc EE NM 


-- Produces ae tatle with the security access level deten- 
-—- ding on the useri evci 


usr level ¡"Levels 


BEGIN 

usr level.rir.comeromises1 na 
usr, level-mir .c ompr omis er n E 
usr level min.inteerity SIm  e. 
usr leWel.min.1nteeri ty NM 
usTr_level .Max.COMprem)s lat TT 
usp level mex. compromises in ti 
usr_ level. rar. 10teenil 
usr lewel .mMax .in teenie ee 
usr _access‘TOP SECRET) := usr_leve 


i D Hu 
(y 
MS 
d 


| 
NOOO NO 
YA KA .. .. so j =o 9 eg 


<- è cn 
™ 
¡fa 
e.» 


usr. level:mir. compra Sea 
usr level .min.comLrori sewintl 
usr_level.rin.integrity.int2 

usr Leger HEEN 

usr level.max.compromise.inté 
usr level.max.cCOmppompee am S 
usr level.max.integrity.int2 ju 
usr level -per inum Eet := 
usr access(SECRET) :-» usr level; 


ew .. e^ .. ee 


t 
U AANU SDD m 
bp 9 we -o þe œe ae we 


usr level.min.ccomproti c eae: 
usr Leg HEES 
usr Lemel pit ieee eee 


b 9 90 1 
cn 
S 
H> 


usr_ level. mia e SN 
usr level .max .comprop ie tie 
usr level .mak Compromise. lard 
usr level .max inten may) ee eee 
usr_ level .méex integra, aes 

usr_access(CONFIDENTIAL) "es usr_l 


il 
rb 9&3 O00) CQ C2 CQ 


PIDE =e 
(D (YN 
m Q 
e if» 


usSr level.min.comprombsSsESI 
usr level .min-compromme E uL 
usr _ level.min intear iit D IE 
usr level.min.intecplb deu 
usr level.max -compromis crainn 
usr level.max.cormnprt onni e a eee 
usr level.max.integrity i  :- 
usr_level.max . im) 22 ree UP A 
usr_access (UNCLASS Fig =: — ae 


(0 (N) C» C3 AN AA ® 


E 





pao e@ecess Class; 
POC uvUkemecadeepadreri (init: ir rl precess def; 
NE Sram = out rl parameters ) IS 


SES e Ele of parareterS with irformation needec 
== “sy the User Handler 


MENTOR S CONSTANT integer := 31; 

BEGIN 
ch_param.entry_stack := 1; -- always 1 
ch peram.mentor stecx :- MENTOR; p 
Gimparam.cee number stack := 32; SE BEL 


Ggepeber.seg number code := $3: 
EE Code <= 4 
ch param.mentcr code :- i 
er peremn.entry deta :- Z; 
ch paraer.mentor dete :- MENTOR: 
ch param.seg number data := 24; 


, 
als 1); 


ENTE toed parari; 


ANO EDURE loac chile active 
MS be, ap iw) IS 


wenta lazes the Wëtire User record to FALSE. It lets 
SO toed the Active User segments each time a false 
Rc "record 125 found 


index : integer; 


BEGIN 

index :- 15 

wuuBcENDder « 2 LOOP 
usr active(index).active :- FALSE: 
usr ective(index).seg Geta :- g; 
usr active(irdex).seg stack := ¢; 
usr_active{index).evc_data := 2; 
usr active(index).evc stack :- 8 
Meere F L; 

Sra LOO. 


1n 
is 
E 
e 


HwND Load child active; 


PROCEDURE look for level(usernare : in string; 
Pecsworde, wuerstriag: 
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ch access ; nuse MC 
ch class : out aecesss class) 2i 


== Sirulates the Logon precess, loading the access class Eoi 
-- the user depending on the Username ame Passmore 


BEGIN 
if password = fealconl ther 
ch class := ch access(1) .maxi 
elsif pessword = falcon then 
ch :elasis. := chyaccassiiao mee 


ELSIF password - "secret then 
ch cless := GE 
E 
ch class :- ch9agesss c mS 
END IF; 


END lex fcr level, 


FRCCEDURE initialize tetles.seg tetle :_out files darai 
seg head : out segment header) IS 


-- Initializes tbe internatk-tebtjes tratwili simula te TiS 
—-  eutometic creetion of segme"ts numbers usirc tne m EE 
-= tatie 

iaden : integer; 

w cless > Q@Ce see Class: 

REGIN 


Ww Class.intesenityc mb M oe. 
Ww Cless.integri uc 0 T 
w Class.compromise.intl :- @; 
w Class.compromise.int? :- €; 
seg kead.mer rilec T TR 
seg_headrext ambi MEE 

seg headwn&emt aged Tent 

seg head.next avail men 

seg head.max open seg INITIAL FREE SEGMENT! 
seg heed mex opener INITTAI FRE UNITE 
seg head.max_open_men := INITIAL FREE MENTOR; 


2 e. 
e 


Om 

INITIAL RES Sua 
INITIAL. “PREF ENTIA 
INITIAL FREE "ui 


I 


= E) 


uU oh gg oM 


-- initialization of array that holds TIMES TITO 


index := @; 
while index < MAX NUMBER O70 SE Ite TOS 


See tatlelindex).nurber 
seg tatle{index).entrys 


u MH 
o 





seg teble(index).mentor - £j 
seg tatle(index).file name :-  ; 
seg tableíiindex).access cla :- w class; 


seg tablefindex).next avail seg 
seg teblefindex).next avail ent 
seg table(index).next avail men 
DUNS index +1; 


— 


uou Mg 


end LOOF; 
Mee initialize tables; 
OTTONE neck if exists file nare 


(seg table : in files data; 
file name ED string) RETURN 


INITIAL FREE SEGMENT; 
INITIAL FRPP ENTRY | 
INITIAL FREE MENTOR; 


boolean IS 


EE if file name declered in input commarcdc exists or 


Rc does not 

index : iniegers 
answer Goo, beans 
BEGIN 


Mo Z; 
enswer :- FALSE; 
while index < MAX NUMBER OF FILES + 1 LOOP 


if seg teble(index).file name = file neme 
answer := TRUE; 
RETURN answers 

else 
NOSE = inder + I; 

end IF; 


END LOOF; 
RETURN answer; 


AER reck if exists tile nare; 
PROCEDURE convert(ch in : in input messege; 


mcus s EI cese Ss 
en out Ou orano dne) IS 


tnen 


vcr se Tr oeearre assembles the Commad line using the input 


Mess aseo pe cy the user 


index : integer; 
incexl : integer; 
terp |! stringi; 


ite ech : String(1); 


BEGIN 
Im 
index := 1: 
index1 := 1; 
while ((index <= 48 ) | 
| and (index <= length(ch_in.input_one)))} LOOP 
if ((ch_ in-input_cne( inde) sige cy M 
(ch in.input one(index) ia Ur ME DONO 
templindex1) :- ch in.Pnput ome(indüáex); 
inder] *= Since) NE 


else 
if ((cherecter TT onelindex)) = 
and 
(index = A 
(character pos(ch_ in.input one(index-1)) 7 T TER 
ther 
temp(index1) := ch_in.input onelindex 
indexi := indexi + 1; 
else 
ES 
((character pos(ch_ in.imput one(index )) =e 
or 
(character pos(ch in.iaput onelindex)) = ium 
index! := ¡Mies 
templindex1) := ' ^| 
end if; 
end if; 
end if, 
index := index + 1; 
enda LCR: 
== load command line 
ch_out.commend := č r 


cheouto tas ons j 
ch cut.file names , 
chi out. corm non class c= ch TT 
index El 

index Oeae 


ut Glass; 


—— loop to Bibl com ana 


while ((character post temotimder D LL 
(index! < -SPEL Or 


ch cut.command(index1) :- temp(index); 
indexl indexl + 1; 
Bea index + 1; 
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BND 
EN? 


Enc OP 
loop to fill fileneme 1 


inaex := index +1; 
lndee := 1; 


while ((character'pos(temp(index)) /- 32) and 
(index! < 9. )) TOOP 


ch out, file narell(index1) := terglindex); 
indexi :- lndexl + 1; 
index <= index -* 1; 

egg cs 


Woov to fill fileaare 2 


index := index + 1; 
jer dme. *- 14 


(Y 
z 
CH 


Wile ((eharacuer pos{ teémp(index)) /= 32) 
Circ 2X ln 9 leh” WOOF 


erigemterile namez(indexl; := templindex,: 
anc := indexi + 1; 
index <= index +1; 

end LOOF; 


corwern t; 
I NS, 


TES 


WITE agate, agatej, aril, alib, alive], sure ee 
PACKAGE files IS 
USE agate, egatej, arl, alit, ALMA eee 


MAX USERS : CONSTANT intege cem 

MAX FROC : CONSTANT integer <= 4; 

MAX LINES : CONSTANT integer :- 100; 

== mar. records "for fae 

MAX NUMEFR OF FILES : CONSTANT integer :- zl: 

MAX INPUT CHSAR : CONSTANT integer := 54; 

INITIAL FREE SEGMENT : CONSTANT integer := Jl; 

INITIAL FRIES ENTRY : CONSTANT integer := 0; 

INITIAL FREE MENTOR : CONSTANT integer := 25; 

LAST FREE SEGMENT : CONSTANT integer ER 

LAST FREF ENTRY : CONSTANT integer := 11; 

LAST FREE MENTOR : CONSTANT integer := %0; 

SEGMENT LENGTH > CONSTANT integer := 5898; 

MAX TENETS : CONSTANT integer <= @. 

--— D security levels 

TOL SEEMS : CONSTANT inteszsm El 

SECRET : CONSTANT integer :-» 2; 

CONFIDENTIAL : CONSTANT integer := $; 

UNCLASSIFIED s COI iniLeser := 4 


SUBTYFE segment numter IS integer RAWCE 31, E: 
SUETYPE entry number IS integer RANGE @..11; 


SUBTYPE mentor number IS integer RANGE 25..940; 


TYPE ri rerameters IS RECORD 


entry stack : integer; 
mentor stack ; intesen, 
SEE numter stack : integer; 
entry_ code > integers; 
mentcr code > integers 
seg number code = interes 
entry dete : integer; 
mentor data : integer, 
seg number data : integer: 
evn count : inteeer: 


evn count datar REESEN 

synchr. chlà Tenter EE 

synchr chld stack : integer; 

synchr_chld data : integer: 
FND RECORD; 


TYFE ri perem IS™AZRAY MIm e joe ri parameters; 


TUNES 





EM: cate recorc TS EECORD 
Ra A 
EN E CCS Da 


ale tS ARRAY (GM .MAX LINES) cf data record: 


DE seg info IS TERQUE 
numer : segment number; 
ENNIUS o NUM Cer 5 
mentor IIT EET 
file name : string(&); 
meee ss Cla > access class; 
q 


TEn evcil ses 

pon avail ent 

mext avail men 
Be RECORD; 


Seemenat rumter 
entry number; 
mentor nurber; 


o. .. LE J 


Meme seemest neader 15 EECORÉ 





tes tored : i7teeer, 
Wowie We lil) So "xc re nm eT 4 
Men ent ES UNO ET: 


next avail ren 

He OPS: E 

Mene open ent 

nc open men 
END RECORD; 


ID oT MIT + 
segrent_nurters 
equam am VET + 
Demon mDer;, 


ee *9 se 


INE ip pout message IS FECORD 


input one SI os 
input result EE o); 
input class > access class: 
ENS RECORD; 
meee cOmend.line fon Ree ess 
cormand talas e 
fils_namel1 Ee 
file namec ae 
cormard_cless MAS. SS SS: 
result Moa Seales 


END RFCORD; 


segm_ info datemi ire; 
seem cless access cless; 
END RECORD: 


TYPE segment date IS RECORD 


TYPE files data IS ARRAY(@..MAX_NUMPFR OF FI 
Seg in 


EE Eeer KR EE OK 


11¢ 


min : access Clases 
max |: access cH 
END EECORLD: 
TYPF user level IS ARRAY (@..MAX LEVEES) of TENE IPC 


TYPE user synchro IS TREES 


ee LED dES 
seg date : integers 
seg Slack ; integer: 
eye data e Kerg 
eve steck > integer: 


END RECORD; 
TYPE users active IS ARRAY (1..MAX USERS! of user syncs 


TYPE child resource IS RECORD 


memcry : intezer: 
Pie Ses : integer; 
Seer els |. line Sem 


BND RECORD; 


PROCEDURE t24 frm integer( in val : in integer: 
t24 vel : out t24 type >; 


FRCCEDURE put lna ( ldev : in integer; 
w class : in MCN 


str : ir Sre RE 


PROCEDURE tlk secr [ Mer ee 
w class. ingecees > (clase. 
SETAS tae 


PROCEDURE get str ( ldev : inr integer: 
r class: out ¿ccess cues 
SUS 


PROCEDURE rut str ( ldev : in integer; 
wAcladssos iHnguceess MONESISIED 
str : in string ) 

FROCEDURE put _dec( ldev : im integer; 

w class : in access class; 
dvel : in interes 


PROCEDURE put suce( in Str) DNE es 
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MEC VEL wim integer: 
w class : in access class ); 


FUNCTION get inputí eco : in boolean; 
Ne MS access Class ) RETURN strine? 


PROCEDURE attach tew( IO PORT : in integer; 
LDEV : in integer); 


PROCEDURE attach ter( IO POET : in irteger; 
in teca); 


EROCEDURE load param( init : in r1 process def; 


Cava home Nout ri param); 


mo DCE load access classi init : in r1 rrocess cef: 
TENNESSEE Level, > 
EE loec peremilinit : in rl process def; 
ch param : out ri raraneters JI: 


Y 


DONDE: load child activelactiv_ usr : out users active): 


PROCEDURE lock for levelíusernare : in string; 


password : in string; 
Chiwecesss AMA Level ; 
ch cless : out access class); 


A URE initialize tables(seg table : Cumtefiles data: 
seg head : out segment heéder); 


FUNCTION check if exists file name(seg table : in files 
REENEN too 


t— CL 
(D t» 


4 


PROCEDURE convert(ch in : ir irrnt message; 
DS SS me C Ge sismc less 


ch out : out comand line ); 


Mh ati les; 


Vai 


ee = © 


APPENDIX G - SYSGEDUSIEERUNT FTIEENSSB) 


This appendix contains the description of the Sysgen Submit 


File used to sysgen the entire system, the commands used are : 


bs:ld3.cmd 
ks:kO.cmd 
ks:kl.cmd 
ks:k2.cmd 
cs:vlloader.cmd;2; 
ds:vilogin.cmd;2,10; 
CIS 5: 
ds:nv.ds;5; 
ds:prmain.cmd;5.0;t: 
ds:puserl.cmd:o.7: 
ds:prehill.cmid:557.4: 
ds:puser2.cmd:5.8: 
ds:prchl2.cmd:5,8,4: 
ds:puser3.cmd:5.9: 
ds:prchl3.cmd;5.9,4: 
ds:prbdos.cmd:5,10; 
ds:rltrap.cmd:6; 
end 
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